This page explains how to control the network traffic flow between Pods and
Services using firewall rules at the Pod level.
Network policies for
applicationshelp you define
communication traffic rules between Pods. It controls how Pods communicate with
each other within their applications and with external endpoints. You can enable
network policy on Pod-networks in Google Kubernetes Engine (GKE) Enterprise edition clusters that have
multi-network enabled. You can enforce network policies on additional Pod
interfaces that correspond to user-specified Pod-networks.
Why use multi-network network policies
You might want to use multi-network network policies in the following
scenarios:
Enhanced network security: You want to isolate and protect
sensitive workloads or data by defining network policies for specific
Pod-networks. Multi-networking network policies limit exposure and reduce
the attack surface.
Fine-grained traffic control: You want to achieve precise control
over traffic flow between Pods and Services on different Pod-networks,
allowing for complex network topologies and security requirements.
Multi-tenant environments: You want to create isolated networks
for different tenants or applications, ensuring they can't interfere with
each other's communication, while maintaining control over network access
within each Pod-network.
Optimize resource utilization: You want to implement network
policies on specific Pod-networks to efficiently allocate resources and
prioritize traffic based on application requirements, improving performance
and reliability.
Security for Containerized Network Functions (CNFs): You want to
segregate management traffic from dataplane traffic within the same Pod,
preventing potential security breaches and unauthorized access.
How multi-network network policies work with Pod-networks
The following diagram illustrates how network policies, applied to specific
Pod-networks using annotations, control traffic flow between Pods within a
GKE cluster.
The preceding diagram shows multiple worker nodes running Pods (containerized
applications) and how they communicate within the same node or across different
nodes using the network infrastructure. It also illustrates the use of network
policies to control traffic flow and the segmentation of the network using
VPCs and subnets for enhanced security and organization.
Isolates traffic with targeted Network Policies: The network policies
only affect traffic on the "blue" Pod-network because of the annotationnetworking.gke.io/network: blue-Pod-network. Traffic on the default
Pod-network remains unrestricted.
Enforces one-way traffic with Pod-network policies: In the preceding
diagram, network policies allow Pod1 to send traffic to Pod2 on the "blue"
Pod-network. Pod2 can't send traffic back to Pod1 on the same network. The
network policy for Pods labeled 'test-app-2' functions as a one-way channel.
It specifically allows outgoing traffic only towards Pods labeled
'test-app-3', preventing communication with other Pods like 'test-app-1'.
Allows outgoing traffic by default: If no egress policy is defined for a
Pod (Pod1 in this example), all outgoing traffic is allowed by
default on the "blue" network interface.
Ensures existing features compatibility: All standard GKE
network policy options like label selectors and IP address blocks work with
multi-network network policies.
Controls network policy scope with annotations:
If you create a network policy without annotation, GKE
applies multi-network network policies to all network interfaces on
the Pods in the selected namespace, regardless of which Pod-networks
they are connected to.
If you include the annotation and specify the name of a valid
Pod-network (for example,networking.gke.io/network: blue-Pod-network),
GKE applies the policy to Pods connected to that specific
Pod-network.
If the annotation references the Pod-network that doesn't actually exist
in your cluster, GKE doesn't apply the network policy to
any Pods at all. This is because no Pods are connected to the specified
non-existent network.
Maintains cross-network communication for Pods with multiple network
interfaces: If you apply a network policy to restrict traffic on a
specific Pod-network within a Pod, it won't affect the traffic on other
Pod-networks connected to the same Pod.
Benefits
Following are the benefits in using multi-network network policies:
Improved Security: You can mitigate risks associated with unauthorized
access and lateral movement within the GKE cluster by
applying network policies at a granular level.
Flexibility and Customization: You can tailor network policies to meet
your specific security and traffic management needs for different
Pod-networks by accommodating diverse workloads and applications.
Simplified Network Management: You can avoid creating excessive
Pod-networks and have fine-grained control over communication by using
network policies, simplifying network management, and reducing complexity.
Cost Optimization: By avoiding the need to create numerous Pod-networks,
you can optimize resource utilization and reduce costs associated with
network infrastructure.
Enhanced Protection for CNFs: You can ensure the security and integrity
of CNF deployments by isolating management and dataplane traffic, and by
applying specific network policies to each deployment.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# About multi-network network policies\n\n[Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis page explains how to control the network traffic flow between Pods and\nServices using firewall rules at the Pod level.\n\n[Network policies for\napplications](/kubernetes-engine/docs/tutorials/network-policy) help you define\ncommunication traffic rules between Pods. It controls how Pods communicate with\neach other within their applications and with external endpoints. You can enable\nnetwork policy on Pod-networks in Google Kubernetes Engine (GKE) Enterprise edition clusters that have\nmulti-network enabled. You can enforce network policies on additional Pod\ninterfaces that correspond to user-specified Pod-networks.\n\nWhy use multi-network network policies\n--------------------------------------\n\nYou might want to use multi-network network policies in the following\nscenarios:\n\n- **Enhanced network security**: You want to isolate and protect\n sensitive workloads or data by defining network policies for specific\n Pod-networks. Multi-networking network policies limit exposure and reduce\n the attack surface.\n\n- **Fine-grained traffic control**: You want to achieve precise control\n over traffic flow between Pods and Services on different Pod-networks,\n allowing for complex network topologies and security requirements.\n\n- **Multi-tenant environments**: You want to create isolated networks\n for different tenants or applications, ensuring they can't interfere with\n each other's communication, while maintaining control over network access\n within each Pod-network.\n\n- **Optimize resource utilization**: You want to implement network\n policies on specific Pod-networks to efficiently allocate resources and\n prioritize traffic based on application requirements, improving performance\n and reliability.\n\n- **Security for Containerized Network Functions (CNFs)**: You want to\n segregate management traffic from dataplane traffic within the same Pod,\n preventing potential security breaches and unauthorized access.\n\nHow multi-network network policies work with Pod-networks\n---------------------------------------------------------\n\nThe following diagram illustrates how network policies, applied to specific\nPod-networks using annotations, control traffic flow between Pods within a\nGKE cluster.\n\nThe preceding diagram shows multiple worker nodes running Pods (containerized\napplications) and how they communicate within the same node or across different\nnodes using the network infrastructure. It also illustrates the use of network\npolicies to control traffic flow and the segmentation of the network using\nVPCs and subnets for enhanced security and organization.\n\n1. **Isolates traffic with targeted Network Policies** : The network policies only affect traffic on the \"blue\" Pod-network because of the annotation `networking.gke.io/network: blue-Pod-network`. Traffic on the default Pod-network remains unrestricted.\n2. **Enforces one-way traffic with Pod-network policies**: In the preceding diagram, network policies allow Pod1 to send traffic to Pod2 on the \"blue\" Pod-network. Pod2 can't send traffic back to Pod1 on the same network. The network policy for Pods labeled 'test-app-2' functions as a one-way channel. It specifically allows outgoing traffic only towards Pods labeled 'test-app-3', preventing communication with other Pods like 'test-app-1'.\n3. **Allows outgoing traffic by default**: If no egress policy is defined for a Pod (Pod1 in this example), all outgoing traffic is allowed by default on the \"blue\" network interface.\n4. **Ensures existing features compatibility**: All standard GKE network policy options like label selectors and IP address blocks work with multi-network network policies.\n5. **Controls network policy scope with annotations** :\n 1. If you create a network policy without annotation, GKE applies multi-network network policies to all network interfaces on the Pods in the selected namespace, regardless of which Pod-networks they are connected to.\n 2. If you include the annotation and specify the name of a valid Pod-network (for example, `networking.gke.io/network: blue-Pod-network`), GKE applies the policy to Pods connected to that specific Pod-network.\n 3. If the annotation references the Pod-network that doesn't actually exist in your cluster, GKE doesn't apply the network policy to any Pods at all. This is because no Pods are connected to the specified non-existent network.\n6. **Maintains cross-network communication for Pods with multiple network\n interfaces**: If you apply a network policy to restrict traffic on a specific Pod-network within a Pod, it won't affect the traffic on other Pod-networks connected to the same Pod.\n\nBenefits\n--------\n\nFollowing are the benefits in using multi-network network policies:\n\n- **Improved Security**: You can mitigate risks associated with unauthorized\n access and lateral movement within the GKE cluster by\n applying network policies at a granular level.\n\n- **Flexibility and Customization**: You can tailor network policies to meet\n your specific security and traffic management needs for different\n Pod-networks by accommodating diverse workloads and applications.\n\n- **Simplified Network Management**: You can avoid creating excessive\n Pod-networks and have fine-grained control over communication by using\n network policies, simplifying network management, and reducing complexity.\n\n- **Cost Optimization**: By avoiding the need to create numerous Pod-networks,\n you can optimize resource utilization and reduce costs associated with\n network infrastructure.\n\n- **Enhanced Protection for CNFs**: You can ensure the security and integrity\n of CNF deployments by isolating management and dataplane traffic, and by\n applying specific network policies to each deployment.\n\nWhat's next\n-----------\n\n[Control traffic flow between Pods and Services at Pod level](/kubernetes-engine/docs/how-to/control-traffic-between-Pods-Services)"]]
