Stay organized with collections
Save and categorize content based on your preferences.
This page provides instructions to configure intra-project traffic network policies in Google Distributed Cloud (GDC) air-gapped appliance.
Project network policies define either ingress or egress rules. You can define policies that allow communication within projects, between projects, and to external IP addresses.
Before you begin
To configure intra-project traffic network policies, you must have the following:
An existing project. For more information, see Create a project.
Create an intra-project traffic policy
For traffic within a project, GDC applies a predefined
project network policy, the intra-project policy, to each project by default.
By default, workloads in a project namespace have the ability to communicate
with each other without exposing anything to external resources.
By default, there is no egress policy, so outbound traffic is allowed for all
intra-project traffic. However, when you set a single egress policy, only the
traffic that the policy specifies is allowed.
Ingress intra-project traffic network policy
When you create a project, you implicitly create a default base
ProjectNetworkPolicy that allows intra-project communication. This policy
allows inbound traffic from other services in the same project.
You can remove the default policy, but be aware that this removal results in denying intra-project communication for
all services and workloads within the project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Intra-project traffic network policies\n\nThis page provides instructions to configure intra-project traffic network policies in Google Distributed Cloud (GDC) air-gapped appliance.\n\nProject network policies define either ingress or egress rules. You can define policies that allow communication within projects, between projects, and to external IP addresses.\n\nBefore you begin\n----------------\n\nTo configure intra-project traffic network policies, you must have the following:\n\n- The necessary identity and access roles. For more information, see [Prepare predefined roles and access](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/pnp/pnp-overview#prepare-predefined-roles-and-access).\n- An existing project. For more information, see [Create a project](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/create-a-project).\n\nCreate an intra-project traffic policy\n--------------------------------------\n\nFor traffic within a project, GDC applies a predefined\nproject network policy, the intra-project policy, to each project by default.\nBy default, workloads in a project namespace have the ability to communicate\nwith each other without exposing anything to external resources.\n\nBy default, there is no egress policy, so outbound traffic is allowed for all\nintra-project traffic. However, when you set a single egress policy, only the\ntraffic that the policy specifies is allowed.\n\n### Ingress intra-project traffic network policy\n\nWhen you create a project, you implicitly create a default base\n`ProjectNetworkPolicy` that allows intra-project communication. This policy\nallows inbound traffic from other services in the same project.\n\nYou can remove the default policy, but be aware that this removal results in denying intra-project communication for\nall services and workloads within the project."]]
