Google Cloud NGFW Tutorial

mmclimans — Mon, 16 Jun 2025 19:47:01 GMT

This tutorial shows how to deploy and prevent threats with Google Cloud NGFW Enterprise, a native Google Cloud service powered by Palo Alto Networks Threat Prevention technologies.

ℹ️ Note

For the most recent version of this guide, please see the Google Cloud NGFW Enterprise Tutorial Github repository.

Cloud NGFW Enterprise is a fully distributed firewall service with advanced protection capabilities to protect your Google Cloud workloads from internal & external threats, including: intrusion, malware, spyware, and command-and-control. The service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently intercept workload traffic for deep packet inspection.

Architecture

Requirements

The following outline the required tools and IAM roles to complete this tutorial.

Tools

Access to Google Cloud Shell, or a local machine with a Terraform or gcloud installation.
A Google Cloud project to host the deployment.
A Google Cloud billing project.

Ability Level Roles

Create/modify/view firewall endpoints, endpoint associations, security profiles, and security profile groups.

Organization

compute.networkAdmin
compute.networkUser
compute.networkViewer

Create/modify/view global network firewall policies and view effective rules for VPC networks and virtual machines.

Project

compute.securityAdmin
compute.networkAdmin
compute.networkViewer
compute.viewer
compute.instanceAdmin

compute.instanceAdmin

For more information, please see:

Topology

In this tutorial, a VPC network contains two virtual machines, client-vm & web-vm. The client-vm simulates threats for both north/south internet traffic and east/west traffic to a web application on the web-vm.

To prevent the malicious traffic, a Cloud NGFW endpoint is created and associated to the network, where network firewall policies define how the traffic should be inspected by Cloud NGFW.

Topology

Prepare for deployment

Enable the required APIs, retrieve the deployment files, and configure the environment variables.

ℹ️ Important

This tutorial assumes you are using Cloud Shell to provision all resources.

1. Open Google Cloud Shell and enable the required APIs.

gcloud services enable compute.googleapis.com gcloud services enable networksecurity.googleapis.com gcloud services enable firewallinsights.googleapis.com

2. Set environment variables for your deployment project and billing project.

export PROJECT_ID=YOUR_PROJECT_ID export BILLING_ID=YOUR_BILLING_PROJECT_ID

3. Set environment variables for your organization ID, deployment region, zone, and naming prefix.

export ORG_ID=$(gcloud projects describe $PROJECT_ID --format=json | jq -r '.parent.id') export REGION=us-central1 export ZONE=us-central1-a export PREFIX=panw

Select Deployment Option

Select a deployment option. Both options deploy identical environments.

Option 1. Deploy using Terraform
- All of the cloud resources required for the tutorial are deployed using a single Terraform plan.
Option 2. Deploy using gcloud
- Each cloud resource is deployed individually using gcloud.

After deploying the resources, continue with the guide on the Github repository to complete the tutorial. For any issues related to the tutorial, kindly submit a pull request.

More Information

Please see the materials below for more information about the topics discussed in this tutorial.

article Google Cloud NGFW Tutorial in General Articles

Google Cloud NGFW Tutorial

Requirements

Tools

Topology

Prepare for deployment

Select Deployment Option

More Information