Firewall Rules Logging
Start course
1h 20m

This Course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.

After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.

You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.

If you have any feedback related to this Course, feel free to contact us at

Learning Objectives

  • Get a foundational understanding of virtual private clouds on GCP
  • Learn about VPC peering and sharing
  • Learn about VPC flow logs and how to configure them
  • Learn about routing in GCP and how to configure a static route
  • Understand the pros and cons of VPC-native GKE clusters
  • Learn about cluster network policies
  • Understand how to configure and manage firewall rules in GPC

Intended Audience

This Course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.


To get the most from this Course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.


Hello and welcome to firewall rules logging. In this lesson, we will take a look at what firewall rules logging offers and how to do it. 

As you add and configure more and more firewall rules, or even if you have just a few, you may find that you need to audit and analyze the effects of those firewall rules. Firewall rules logging allows you to do just that. You can even use firewall rules logging to identify how many different connections are being affected by a specific rule. This can certainly help when troubleshooting communications issues that might be caused by an errant firewall rule. 

To use firewall rules logging, you enable it for whichever firewall rule you wish to log. You can use firewall rules logging to log connections for both ingress and egress rules and for rules with an allow action or a deny action.

Enabling logging for a specific firewall rule will cause Google cloud to create an entry called a connection record every time the logged rule allows traffic or denies traffic. Using Cloud Logging, you can then view and export those records. Records can be exported to any destination supported by cloud logging export. The connection records that are recorded each contain the source IP address, the destination IP address, any applicable protocols and ports, the date and time of the action, and a notation regarding which firewall rule was applied to the logged traffic.

It’s important to note that firewall rules logging can only be enabled for rules in a virtual private cloud network. You cannot use firewall rules logging for legacy networks. I should also point out that firewall rules logging will only record TCP connections and UDP connections. This means that although you can create firewall rules that apply to other protocols, you will not be able to log connections using those protocols.

Another limitation that often trips people up is the fact that firewall rules logging cannot be enabled for any implied deny ingress rules nor any implied allow egress rules. Keep that in mind if you come across a question centered around firewall rules logging and implied rules.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.