Console
    Start free

    Create organization network policies

    An organization network policy defines the network access control for organization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the OrganizationNetworkPolicy resource from the Networking API .

    To get the permissions you need to configure the organization network policy, ask your Organization Identity and Access Management (IAM) Admin to grant you the Org Network Policy Admin ( org-network-policy-admin ) role.

    You can define an organization network policy for access controls for the following GDC managed services:

    Default policy

    By default, the following GDC managed services have the following principles:

    GDC service Principle
    All services allow-all
    GDC console allow-all
    gdcloud CLI allow-all
    Global API server deny-by-default
    KMS deny-by-default
    Object storage deny-by-default
    Vertex AI and supported services deny-by-default

    Example organization network policy

    The following is an example of an OrganizationNetworkPolicy resource that allows traffic from an IP address to access a GDC managed service.

     kubectl  
--kubeconfig  
 MANAGEMENT_API_SERVER 
  
apply  
-f  
-  
<<EOF
apiVersion:  
networking.gdc.goog/v1
kind:  
OrganizationNetworkPolicy
metadata:  
name:  
 POLICY_NAME 
  
namespace:  
platform
spec:  
subject:  
services:  
matchTypes:  
-  
 " SERVICE_NAME 
" 
  
ingress:  
-  
from:  
-  
ipBlock:  
cidr:  
 IP_ADDRESS 
  
-  
ipBlock:  
cidr:  
 IP_ADDRESS 
EOF

    Replace the following variables:

    Variable
    Description
    MANAGEMENT_API_SERVER
    The zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
    POLICY_NAME
    The name to give the policy.

    For example, allow-ui-access .
    SERVICE_NAME
    The name of the service to apply the policy. Use the following values for each service:
    • All services : all
    • GDC console : ui-console
    • gdcloud CLI : api-server
    • Global API server : global-api-server
    • KMS : kms
    • Object storage : object-storage
    • Vertex AI : ai
    .
    IP_ADDRESS
    The IP address to allow access. For example, 10.251.0.0/24 . You can also add multiple IP addresses by defining more than one ipBlock fields for each IP address.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: