FQDN filtering in Cloud Next Generation Firewall

In Google Cloud NGFW Standard, FQDN lets users set firewall rules by domain name instead of IP address

Hierarchical, global, and regional firewall policies can govern domain traffic using FQDN objects

Cloud NGFW regularly updates firewall policy rules with its objects with the latest domain name resolution discoveries based on Cloud DNS's VPC name resolution order

DNS updates are sent to Cloud NGFW by Cloud DNS. These updates' virtual computer compatibility ensures egress control dependability

The firewall policy treats FQDN objects as Layer 3 entities and applies to the IP address itself if several domain names resolve to the same address

To maintain consistent enforcement even when DNS records change, include all aliases in egress firewall policy rules for domains with CNAMEs

IPv4 and IPv6 addresses are limited to 32 per domain name. DNS searches with more than 32 addresses return only the top 32 IPv4 or IPv6 addresses

Thus, do not include domain names with more than 32 IPv4 and IPv6 addresses in incoming firewall policy rules