Reserving a Static External IP Address

This page explains how to configure and manage static external IP addresses for your resources, including:

  • Reserving and assigning a static external IP address
  • Promoting an ephemeral external IP address to a static external IP address

In Compute Engine, each VM instance can have multiple network interfaces. Each interface can have both internal and external IP addresses. Forwarding rules can have external IP addresses for external load balancing or internal addresses for internal load balancing. To learn about IP addresses, read the IP Addresses documentation.

This document does not explain how to reserve and manage internal IP addresses. To reserve a static internal IP address, read Reserving a Static Internal Address.

Before you begin

Reserving a new static external IP address

A static external IP address is an external IP address that is reserved for your project until you decide to release it. If you have an IP address that your customers or users rely on to access your service, you can reserve that IP address so that only your project can use it. It is also possible to promote an ephemeral external IP address to a static external IP address.

You can reserve two types of external IP addresses:

Reserve a static external IP address in the gcloud command-line tool or through the API. After reserving the address, assign it to an instance during instance creation or to an existing instance.

Restrictions

  • Only one resource at a time can use a static external IP address.

  • There is no way to tell whether an IP address is static or ephemeral after it has been assigned to a resource, except to compare the IP address against the list of static external IP addresses reserved to that project. Use the addresses list sub-command to see a list of static external IP addresses available to the project.

  • Each VM instance can have multiple network interfaces, but each interface can have only one external IP address that is either ephemeral or static.

Note: Network interfaces can receive traffic from multiple forwarding rules, which might serve other external IP addresses. Any number of external IP addresses can reference a network interface through these forwarding rules, but each network interface can have only one external IP address that translates packets to the interface's internal IP address.

For more information about load balancing and forwarding rules, read the load balancing documentation.

Console

  1. Go to the Reserve a static address page in the GCP Console.

    Go to the Reserve a static address page

  2. Choose a name for the new address.
  3. Specify whether this is an IPv4 or IPv6 address. IPv6 addresses can only be global and can only be used with global HTTP(S), SSL proxy, and TCP proxy load balancers.
  4. Choose whether this IP address is regional or global. If you are reserving a static IP address for an instance or for a Network load balancer, choose Regional. If you are reserving a static IP address for an HTTP(S), SSL proxy, or TCP proxy load balancer, choose Global.
  5. If this is a regional IP address, select the region to create the address in.
  6. [Optional] Select a resource to attach the IP.
  7. Click Reserve to reserve the IP.

gcloud

To reserve a new static external IP address using gcloud compute, use the addresses create sub-command and specify whether you want to reserve a global or regional IP address:

gcloud compute addresses create [ADDRESS_NAME] \
    [--region [REGION] | --global ] \
    [--ip-version [IPV4 | IPV6]]

where:

  • [ADDRESS_NAME] is the name you want to call this address.
  • If you are specifying a regional IP address, provide the desired [REGION] for the request. This should be the same region as the resource you want to attach the IP address to.
  • If it is a global IP address, specify the --global flag. If you want an IPv6 address, specify both --global and --ip-version IPV6 flags. IPv6 addresses can only be global and can only be used with global HTTP(S), SSL proxy, and TCP proxy load balancers.

API

To make a request to the API directly for a regional IPv4 address, make a POST request to the following URI:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/[REGION]/addresses

Your request body should contain the following:

{
  name: "[ADDRESS_NAME]"
}

where:

  • [ADDRESS_NAME] is the name you want to call this address.
  • [REGION] is the name of the region for this request.
  • [PROJECT_ID] is the project ID for this request.

For global static IPv4 addresses, make a request to:

    https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses

Your request body should contain the following:

{
  name: "[ADDRESS_NAME]"
}

For global static IPv6 addresses, make a request to:

    https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/addresses

Your request body should contain the following:

{
  "name": "[ADDRESS_NAME]",
  "ipVersion": "IPV6"
}

Assigning a static external IP address to a new VM instance

When you create a VM instance, it is automatically assigned an ephemeral external IP address. If you don't want an ephemeral external IP address, you can explicitly assign a static external IP address to the instance instead.

Console

  1. In the GCP Console, go to the VM Instances page.

    Go to the VM Instances page

  2. Click the Create button.
  3. On the Create a new instance page, fill in the desired properties for your instance.
  4. Expand the Management, disk, networking, SSH keys section.
  5. Click Networking.
  6. Under External IP, select a static external IP address.
  7. Click the Create button to create the instance.

gcloud

To assign a static external IP address, use the --address flag during instance creation and provide the static external IP address:

gcloud compute instances create [INSTANCE_NAME] --address [IP_ADDRESS]

where:

  • [INSTANCE_NAME] is the name of the instance.
  • [IP_ADDRESS] is the IP address to assign to the instance. Use the IP address, not the address name.

API

In your request to create a new instance, explicitly provide the networkInterfaces[].accessConfigs[].natIP property and the external IP you want to use. For example:

{
  "name": "[INSTANCE_NAME]",
  "machineType": "zones/[ZONE]/machineTypes/[MACHINE_TYPE]"
  "networkInterfaces": [{
    "accessConfigs": [{
      "type": "ONE_TO_ONE_NAT",
      "name": "External NAT",
      "natIP": "[IP_ADDRESS]"
     }],
    "network": "global/networks/default"
  }],
  "disks": [{
     "autoDelete": "true",
     "boot": "true",
     "type": "PERSISTENT",
     "initializeParams": {
        "sourceImage": "projects/debian-cloud/global/images/v20150818"
     }
   }]
 }

Changing or assigning an external IP address to an existing instance

You can change or assign an external IP address, either ephemeral or static, to an existing instance by modifying the instance's access configuration.

An instance can have only one external IP address. If the instance already has an external IP address, you must remove that address first by deleting the old access configuration. Then, you can add a new access configuration with the new external IP address.

Console

  1. Go to the VM instances page in the GCP Console.

    Go to the VM instances page

  2. Click the name of the instance that you want to assign an external IP to.
  3. Click the Edit button at the top of the page.
  4. Under External IP, select either an ephemeral or static external IP address to assign to the instance.
  5. Click the Save button to save your changes.

gcloud

  1. [Optional] Reserve a static external IP address.

    If you want to assign a static external IP address, you must reserve an address and make sure the address is not currently in use by another resource. If necessary, follow the instructions to reserve a new static external IP address or to unassign a static external IP address.

    If you intend to use an ephemeral external IP address, you can skip this step, and Compute Engine will randomly assign an ephemeral external IP address.

  2. Delete existing access configs.

    It is only possible for an instance to have one access config. Before you attempt to assign a new access config to an instance, check to see if your instance has an access config by making a gcloud compute instances describe request:

    gcloud compute instances describe [INSTANCE_NAME]
    

    If there is an existing access config, the access config appears in the following format:

    networkInterfaces:
    - accessConfigs:
      - kind: compute#accessConfig
        name: external-nat
        natIP: 130.211.181.55
        type: ONE_TO_ONE_NAT

    Before you add a new access config, you must delete the existing access config using the instances delete-access-config sub-command:

    gcloud compute instances delete-access-config [INSTANCE_NAME] \
        --access-config-name "[ACCESS_CONFIG_NAME]"
    

    where:

    • [INSTANCE_NAME] is the name of the instance.
    • [ACCESS_CONFIG_NAME] is the access config to delete. Make sure to include the full name between quotes.
  3. Add the new external IP address.

    Using the instances add-access-config sub-command, add a new external IP address:

    Note: Don't replace [IP_ADDRESS] with the name of the static IP. You must use the actual IP address.

    gcloud compute instances add-access-config [INSTANCE_NAME] \
        --access-config-name "[ACCESS_CONFIG_NAME]" --address [IP_ADDRESS]
    

    where:

    • [INSTANCE_NAME] is the name of the instance.
    • [ACCESS_CONFIG_NAME] is name to call this access config. Make sure to include the full name between quotes.
    • [IP_ADDRESS] is the IP address to add.

    If you want Compute Engine to assign an ephemeral external IP address rather than using a static external IP address, omit the --address [IP_ADDRESS] property:

    gcloud compute instances add-access-config [INSTANCE_NAME] \
        --access-config-name "[ACCESS_CONFIG_NAME]"
    

Promoting an ephemeral external IP address

If your instance has an ephemeral external IP address and you want to permanently assign the IP to your project, promote the ephemeral external IP address to a static external IP address.

Console

  1. Go to the External IP addresses page in the GCP Console.

    Go to the External IP addresses page

  2. In the Type column, change the address type to Static for the IP address you want to promote.
  3. Provide a name for the new static IP address and click Reserve.

gcloud

To promote an ephemeral external IP address to a static external IP address, provide the ephemeral external IP address using the --addresses flag when creating a new address:

gcloud compute addresses create [ADDRESS_NAME] \
    --addresses [IP_ADDRESS] --region [REGION]

where:

  • [ADDRESS_NAME] is the name you want to call this address.
  • [IP_ADDRESS] is the IP address you want to promote.
  • [REGION] is the region the IP address belongs to.

API

To make a request to the API directly, make a PUT request to the following URI:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/[REGION]/addresses

Your request body should contain the following:

{
  name: "[ADDRESS_NAME]",
  address: "[IP_ADDRESS]"
}

where:

  • [ADDRESS_NAME] is the name you want to call this address.
  • [IP_ADDRESS] is the IP address you want to promote.
  • [REGION] is the region the IP address belongs to.
  • [PROJECT_ID] is the project ID for this request.

The external IP address remains attached to the instance even after it is been promoted to a static external IP address. If you need to assign the newly-promoted static external IP address to another resource, unassign the static external IP address from the existing instance.

Listing static external IP addresses

To list static external IP addresses that you have reserved for your project, run addresses list or make a GET request to the API.

Console

Go to the External IP addresses page in the GCP Console to see a list of IP addresses for your project.

Go to the External IP addresses page

gcloud

Using the gcloud command-line tool:

gcloud compute addresses list

API

To make a request to the API directly, perform a GET request to the following URI with an empty request body:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/[REGION]/addresses

where:

  • [REGION] is the name of the region for this request.
  • [PROJECT_ID] is the project ID for this request.

To list all addresses in all regions, make a request to the following URI:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/aggregated/addresses

Describing a static external IP address

To get information about a static external IP address, use the gcloud compute addresses describe command and provide the name of the address, or make a GET request to the API.

Console

  1. Go to the External IP addresses page in the GCP Console.

    Go to the External IP addresses page

  2. Click on the IP address you want to get more information about.

gcloud

To use gcloud compute addresses describe:

gcloud compute addresses describe [ADDRESS_NAME]

where [ADDRESS_NAME] is the name of the external IP address you want to describe.

API

To make a request to the API directly, make a GET request with an empty request body to the following URI:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/[REGION]/addresses/[ADDRESS_NAME]

where:

  • [ADDRESS_NAME] is the name of the IP address.
  • [REGION] is the name of the region for this request.
  • [PROJECT_ID] is the project ID for this request.

Unassigning a static external IP address

You can unassign a static external IP address by deleting the instance or deleting the access config attached to the instance that is using the address. Unassigning a static external IP address allows you to reassign the static external IP address to another resource.

Unassigning an IP address removes it from the resource but keeps the IP address reserved to your project. You can tell that an static IP address is in use by performing a gcloud compute addresses list request:

gcloud compute addresses list
NAME                 REGION      ADDRESS            STATUS
example-address      [REGION]    130.211.160.207    RESERVED
example-address-new  [REGION]    130.211.114.137    IN_USE

In this example, example-address-new is currently in use.

To delete an instance's access config and unassign a static external IP address, follow these steps:

  1. Get the name of the access config to delete.

    To get the name, perform a gcloud compute instances describe request:

    gcloud compute instances describe [INSTANCE_NAME]
    

    where [INSTANCE_NAME] is the name of the instance.

    The access config appears in the following format:

    networkInterfaces:
    - accessConfigs:
      - kind: compute#accessConfig
        name: external-nat
        natIP: 130.211.181.55
        type: ONE_TO_ONE_NAT

    Note: The name of your access config might be different than external-nat; make sure to check for your own access config name. In some cases, an older version of the access config name, External NAT, might be used.

  2. Delete the access config.

    Use the instances delete-access-config sub-command:

    gcloud compute instances delete-access-config [INSTANCE_NAME] \
        --access-config-name "[ACCESS_CONFIG_NAME]"
    

    where:

    • [INSTANCE_NAME] is the name of the instance.
    • [ACCESS_CONFIG_NAME] is the name of the access config to delete. Make sure to include the full name between quotes.
  3. Check that your static external IP address is now available and marked as RESERVED instead of IN_USE.

    gcloud compute addresses list
    

    NAME                 REGION      ADDRESS            STATUS
    example-address      [REGION]    130.211.160.207    RESERVED
    example-address-new  [REGION]    130.211.114.137    RESERVED

Now that your static external IP address is available, you can choose to assign it to another instance.

Releasing a static external IP address

If you no longer need a static external IP address, you can release the address so that it is returned to the general IP pool for other Compute Engine users.

Console

  1. Go to the External IP addresses page in the GCP Console.

    Go to the External IP addresses page

  2. Check the box next to the IP address to release.
  3. Click Release IP address.

gcloud

Using the gcloud command-line tool:

gcloud compute addresses delete [ADDRESS_NAME]

where [ADDRESS_NAME] is the name of the IP address.

API

To make a request to the API directly, make a DELETE request to the following URI with an empty request body:

https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/regions/[REGION]/addresses/[ADDRESS_NAME]

where:

  • [ADDRESS_NAME] is the name of the IP address.
  • [REGION] is the name of the region for this request.
  • [PROJECT_ID] is the project ID for this request.

Choosing an internal IP address at instance creation

Optionally, you can choose a specific internal IP address to assign to an instance when you create it. The IP address must be a valid IP address of the subnet of the instance, and the IP address must not already be in use. The IP address remains attached to the instance until you delete the instance, which releases the IP address back into the pool. If you stop and restart the instance, the instance retains the same internal IP address.

If you do not specify an IP address, Compute Engine automatically allocates one from the subnet or network. You can specify an internal IP address using the gcloud command-line tool or the API.

gcloud

gcloud compute instances create [INSTANCE_NAME]
     --private-network-ip [IP_ADDRESS]

where:

  • [INSTANCE_NAME] is the name of the instance you want to create.
  • [IP_ADDRESS] is the IP address you want to assign.

If you are using a custom subnet mode network, you must also specify the subnet using the --subnet [SUBNET] parameter.

API

To create an instance with a static internal IP address, use the Compute Engine API. Make a request to create a new instance, as you would normally but explicitly provide the networkInterfaces[].networkIP property with the internal IP you want to use. For example:

{
  "name": "[INSTANCE_NAME]",
  "machineType": "zones/us-central1-f/machineTypes/f1-micro"
  "networkInterfaces": [{
    "accessConfigs": [{
      "type": "ONE_TO_ONE_NAT",
      "name": "External NAT",
     }],
    "network": "global/networks/default",
    "networkIP": [IP_ADDRESS]
  }],
  "disks": [{
     "autoDelete": "true",
     "boot": "true",
     "type": "PERSISTENT",
     "initializeParams": {
        "sourceImage": "projects/debian-cloud/global/images/v20150818"
     }
   }]
 }

where:

  • [INSTANCE_NAME] is the name of the instance.
  • [IP_ADDRESS] is the IP address to assign to the instance.

If you delete an instance with a specified IP address, the address goes back into the unallocated address pool. If you need an internal IP address to persist beyond the life of the instance, you can set a static internal target IP address using routes.

Disabling external IP access for VM instances

For certain workloads, you might have essential requirements that include security and network restrictions. For example, you might want to restrict external IP address access on VM instances to prevent data exfiltration or maintain network isolation, all of which are common and necessary restrictions for many customers. Using an Organization Policy, you can now disable external IP access with a policy constraint that makes it easy and convenient for you to control external IP address access for your VM instances within an organization or a project.

The constraint for controlling external IP address on VM instances is:

constraints/compute.vmExternalIpAccess

To use the constraint, you specify a policy with an allowedList of VM instances that can have external IP addresses. If no policy is specified, all external IP addresses are allowed for all VM instances. When the policy is in place, only the VM instances that are listed in the allowedValues list can be assigned an external IP address, either ephemeral or static, and other Compute Engine VM instances in the organization or project that are not explicitly defined in the policy are prohibited from using external IP addresses.

VMs are identified in the allow and deny lists using the instance's URL:

projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]

Specifications

  • You can only apply this list constraint to VM instances.
  • You cannot apply the constraint retroactively. All VM instances that have external IP addresses before the policy is enabled will keep their external IP address.
  • This constraint accepts either an allowedList or a deniedList but not both in the same policy.
  • It is up to the you or an administrator with the right permissions to manage and maintain the instance lifecycle and integrity. The constraint only verifies the instance's URL, and it does not prevent the white listed VMs from being altered, deleted, or recreated.

Permissions

To set a constraint on either the project or the organization level, you must have been granted the orgpolicy.policyAdmin role on the organization.

Setting the policy constraint on the organization level

To set a constraint for external IP access, you first need your organization ID.

Find your organization ID

Console

You can also find the ID on the Google Cloud Platform Console:

  1. Log in to the Google Cloud Platform Console.
  2. Click on the project selector.

    Screenshot of organization and project selector

  3. Select an organization and look for the organization ID.

    Screenshot of organization ID

gcloud

You can find the numeric n by running the following gcloud command and looking for the ID:

gcloud organizations list

DISPLAY_NAME           ID
example-organization   29252605212

Set your policy constraint

Console

  1. Go to the Organizational Policies page.

    Go to the Organizational Policies page

  2. If necessary, choose the desired organization from the project dropdown menu.
  3. Click on External IPs for VM instances.
  4. Click Edit to edit the external IP policy.
  5. Select Customize to set specific the org policy for specific VM instances.

    Screenshot for customizing org policy

  6. Choose the desired Policy enforcement and Policy type.

  7. Under Policy values, select Custom.
  8. Enter a partial URL to a VM instance and hit enter. Continue entering VM instances as desired.

    Screenshot for adding VM instances to org policy

  9. CLick Save to save your changes.

gcloud

Use the gcloud resource-manager org-policies set-policy command to set the policy. You will need to provide your policy as a JSON file. Create a JSON file that looks similar to this;

{
"constraint": "constraints/compute.vmExternalIpAccess",
"listPolicy": {
  "allowedValues": [
     "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]",
     "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]",
     "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]"
  ]
 }
}

where:

  • [PROJECT_ID] is the project ID for this request, such as example-project. Note that this is different than setting up organization policies, which require the organization numeric ID.
  • [ZONE] is the zone of the instance.
  • [INSTANCE_NAME] is the instance name.

Alternatively, you can specify a deniedValues list to express VM instances that you explicitly want to prohibit from having an external IP address. Any instance not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

Then, pass in the file with your gcloud request:

gcloud beta resource-manager org-policies set-policy my-policy.json --organization [ORGANIZATION_ID]

where [ORGANIZATION_ID] is the numeric ID of the organization.

If you do not want any instances to have external IP access, you can set a policy with allValues set to DENY:

{
"constraint": "constraints/compute.vmExternalIpAccess",
"listPolicy": {
  "allValues": "DENY"
 }
}

API

Use the setOrgPolicy() API to define your constraint. The VMs in the allowedValue list you specify will be allowed to have external IP addresses. Alternatively, you can specify a deniedValues list to express VM instances that you explicitly want to prohibit from having an external IP address. Any instance not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

For example, the following is a request to set the compute.vmExternalIpAccess constraint onto an organization where VM instances from certain projects within the organization are allowed to have external IP addresses:

POST https://cloudresourcemanager.googleapis.com/v1/organizations/[ORGANIZATION_ID]:setOrgPolicy

where [ORGANIZATION_ID] is the numeric ID of the organization.

Now, in your request body, provide the desired policy for this constraint:

{
  "policy": {
    "constraint": "constraints/compute.vmExternalIpAccess",
    "listPolicy": {
      "allowedValues": [
        "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]",
        "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]",
        "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]"
        ]
      }
    }
 }

If you do not want any instances to have external IP access, you can set a policy with allValues set to DENY:

{
  "policy": {
    "constraint": "constraints/compute.vmExternalIpAccess",
    "listPolicy": {
      "allValues": DENY
      }
    }
 }

Setting the policy at the project level

Setting a policy at the project level overrides the policy at the organization level. For example, if the organization level has example-vm-1 on the allowedValues list but the policy at the project level has the same VM on the deniedValues list, the VM instance would not be allowed to have an external IP addresses.

Console

Follow the same process documented under Setting a policy constraint on the organization level but choose your desired project from the project selector instead of the organization.

Screenshot for project selector

gcloud

Use the gcloud beta resource-manager org-policies set-policy command to set the policy. You will need to provide your policy as a JSON file. Create a JSON file that looks similar to this;

{
 "constraint": "constraints/compute.vmExternalIpAccess",
 "listPolicy": {
  "allowedValues": [
   "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]"
  ]
 }
}

where:

  • [PROJECT_ID] is the project ID for this request, such as example-project. Note that this is different than setting up organization policies, which require the organization numeric ID.
  • [ZONE] is the zone of the instance.
  • [INSTANCE_NAME] is the instance name.

Alternatively, you can specify a deniedValues list of VM instances that you explicitly want to prohibit from having an external IP address. Any instance not on the list would implicitly be allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

Then, pass in the file with your gcloud request:

gcloud beta resource-manager org-policies set-policy my-policy.json --project example-project

API

Use the setOrgPolicy() API to define your constraint. The VMs in the allowedValue list you specify will be allowed to have external IP addresses. Alternatively, you can specify a deniedValues list to express VM instances that you explicitly want to prohibit from having an external IP address. Any instance not on the list is implicitly allowed to have an external IP address. You can only specify either allowedValues or deniedValues but not both.

For example, the following is a request to set the compute.vmExternalIpAccess constraint on a project to allow specific VM instances to have external IP addresses:

POST https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:setOrgPolicy

where [PROJECT_ID] is the project ID for this request.

The request body contains the desired policy for this constraint:

{
 "policy": {
  "constraint": "constraints/compute.vmExternalIpAccess",
  "listPolicy": {
   "allowedValues": [
    "projects/[PROJECT_ID]/zones/[ZONE]/instances/[INSTANCE_NAME]"
   ]
  }
 }
}

Best practices

  • Google recommends that you avoid using the deniedValues list with this constraint. If you define values in the deniedValues list, it means only the VM instances in the deniedValues list are restricted from using external IP addresses. This could be a security concern if you want control over exactly which instances can have external IP addresses. If you want to remove certain instances from the allowedValues list, update the existing policy to remove the instances from the allowedList rather than putting the instances into the deniedValues list at a lower hierarchy.

  • If you want to set a policy over a large part of the resource hierarchy but exempt certain projects, you should restore the default policy using the setOrgPolicy method by specifying the restoreDefault object to allow all VMs in the projects to be associated with external IP addresses. The policies currently in place for projects will not be affected by this default setting.

  • Use this org policy together with IAM roles to better control your environment. This policy only applies to VM instances but if you want to better control and restrict external IP addresses on network devices, you can grant the compute.networkAdmin role to the appropriate parties.

  • Any services and products that are running on Compute Engine within the organization or project with the policy enabled could be impacted by this Org Policy. Specifically, services such as Kubernetes Engine, Dataflow, Data Proc, and Cloud SQL will be impacted by this policy. If this is an issue, we recommend setting up other services and products in a different project that does not have the organization policy applied, and use Cross-Project Networking if needed.

What's next

Send feedback about...

Compute Engine Documentation