This page provides instructions to configure intra-project traffic network policies in Google Distributed Cloud (GDC) air-gapped appliance.
Project network policies define either ingress or egress rules. You can define policies that allow communication within projects, between projects, and to external IP addresses.
Before you begin
To configure intra-project traffic network policies, you must have the following:
- The necessary identity and access roles. For more information, see Prepare predefined roles and access.
- An existing project. For more information, see Create a project.
Create an intra-project traffic policy
For traffic within a project, GDC applies a predefined project network policy, the intra-project policy, to each project by default. By default, workloads in a project namespace have the ability to communicate with each other without exposing anything to external resources.
By default, there is no egress policy, so outbound traffic is allowed for all intra-project traffic. However, when you set a single egress policy, only the traffic that the policy specifies is allowed.
Ingress intra-project traffic network policy
When you create a project, you implicitly create a default base
ProjectNetworkPolicy
that allows intra-project communication. This policy
allows inbound traffic from other services in the same project.
You can remove the default policy, but be aware that this removal results in denying intra-project communication for all services and workloads within the project.