This page describes how to get started with Forseti Enforcer. Enforcer compares policy files that define the desired state of a resource against the current state of the resource. If it finds any differences in policy, Enforcer makes changes using Google Cloud APIs.
Enforcer code currently supports Compute Engine firewall rules. Additional enforcement endpoints are in development.
Enforcer requires write permissions for the resources that it manages. When you set up Forseti using the installer, a service account is created and granted write access to update firewalls on any project in your organization.
This write access is only available from the Forseti Server. It isn’t available from the Forseti Client and its command-line interface (CLI).
To use Enforcer, you’ll define policies in a JSON formatted rule list,
and then run the forseti_enforcer
tool referencing a local or Cloud Storage
policy file.
Enforcer policy files are JSON formatted rule lists that apply to a project. Each rule must include all required fields, based on the rule direction. To learn more, see the Compute Engine Firewall documentation.
If a rule doesn’t include a network name, then it’s applied to all networks configured on the project. The network name is prepended to the rule name.
Following is an example firewall policy that can be applied by Enforcer to only allow:
Internal TCP, UDP, and ICMP traffic between VMs
[{
"sourceRanges": ["0.0.0.0/0"],
"description": "Allow SSH from anywhere",
"direction": "INGRESS",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["22"]
}
],
"name": "allow-ssh"
},
{
"sourceRanges": ["130.211.0.0/22", "35.191.0.0/16"],
"description": "Allow traffic from load balancer and health checks to reach VM instances",
"direction": "INGRESS",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["80","443"]
}
],
"name": "allow-health-check"
},
{
"sourceRanges": ["10.0.0.0/8"],
"description": "Allow internal only",
"direction": "INGRESS",
"allowed": [
{
"IPProtocol": "tcp",
"ports": ["0-65535"]
},
{
"IPProtocol": "udp",
"ports": ["0-65535"]
},
{
"IPProtocol": "icmp"
}
],
"name": "allow-internal"
}]
To run Enforcer with a local policy file, run the following command on the server instance:
forseti_enforcer --enforce_project PROJECT_ID \
--policy_file path/to/policy.json
To run Forseti Enforcer with a policy file stored in Cloud Storage,
such as gs://my-project-id/firewall-policies/default.json
, run the following
command on the server instance:
forseti_enforcer --enforce_project PROJECT_ID \
--policy_file gs://my-project-id/firewall-policies/default.json