FR: Add Cloud NGFW Essential capability with optional Standard or Enterprise based IPS in the TEF 3-networks-hub-and-spoke folder and associated terraform-google-modules

[fmichaelobrien]

20240515
See ngfw terraform support

• Add new resource to support firewall plus (NGFW Enterprise) hashicorp/terraform-provider-google#15779
• adds NGFW support for google_network_security_tls_inspection_policy resource hashicorp/terraform-provider-google#18139
• Add new resources to support Service Extensions callouts for Cloud Load Balancing hashicorp/terraform-provider-google#17491

shadow
terraform-google-modules/terraform-example-foundation#1183
see
GoogleCloudPlatform/pubsec-declarative-toolkit#616

• Move NGFW resources to GA hashicorp/terraform-provider-google#17865
• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Design-Issues#di3-20240506-ngfw--firewall-teraform-module
  can be a direct copy/overlay on 3-networks-hub-and-spoke or a pluggable architecture where we can use any of the 3 - transitive VMs, Fortigates ( Overlay fortigate NGFW dual LB example into 3-networks-hub-and-spoke #389) or GCP NFGW

TL;DR

A request by a large federal client for IDS or NGFW (formerly Firewall+) capabilities in the TEF that includes GPS(Standard) IPS(Enterprise) and micro segmentation

Pull out the default transitivity NVA VMs in 3-n-h-a-s and overlay NGFW

Optional: modularize around 3rd party NGFW like #389

Add GCP Cloud NGFW (Firewall plus)
NGFW https://cloud.google.com/security/products/firewall?hl=en#cloud-ngfw-tiers
NGFW https://cloud.google.com/firewall/docs/about-firewalls
NGFW enterprise with IPS https://cloud.google.com/firewall/docs/about-intrusion-prevention
https://www.paloaltonetworks.com/blog/network-security/netsec-google-cloud-firewall-plus/
likely location next to https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/3-networks-hub-and-spoke/modules/hierarchical_firewall_policy

Links

GCP Firewall plus - https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-firewall-plus-with-intrusion-prevention
config connector IDS version https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/main/solutions/ids
Palo Alto VM Series NGFW https://cloud.google.com/architecture/partners/palo-alto-networks-ngfw
PA VM Series NGFW example https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/google/latest/examples/standalone_vmseries_with_metadata_bootstrap
IDS https://cloud.google.com/security/products/intrusion-detection-system?hl=en
https://github.com/GoogleCloudPlatform/terraform-google-network-forensics
standard firewall https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall
Fortinet based Fortigate NGFW https://github.com/fortinet/fortigate-tutorial-gcp

Terraform Resources

No response

Detailed design

No response

Additional information

No response

[fmichaelobrien]

see https://github.com/terraform-google-modules/terraform-google-network/tree/master/modules/network-firewall-policy
see hashicorp/terraform-provider-google#17030
b/321386368

[fmichaelobrien]

Video on Google NGFW from Ryan https://www.youtube.com/watch?v=OCqnf2E6zn0

[fmichaelobrien]

See ngfw terraform support

• Add new resource to support firewall plus (NGFW Enterprise) hashicorp/terraform-provider-google#15779
• adds NGFW support for google_network_security_tls_inspection_policy resource hashicorp/terraform-provider-google#18139

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days