This page provides an overview of project network policies in Google Distributed Cloud (GDC) air-gapped appliance.
Project network policies define either ingress or egress rules. Unlike Kubernetes network policies, you can only specify one policy type for a policy.
For traffic within a project, GDC applies a predefined project network policy, the intra-project policy, to each project by default.
Services and workloads in a project are isolated from external services and workloads by default. However, services and workloads from different project namespaces can communicate with each other by applying cross-project traffic network policies.
Ingress and egress firewall rules are the main components of project network policies and determine which types of traffic are allowed in and out of your network. To set firewall rules for your project namespace in GDC, use the GDC console.
Security and connectivity
By default, services and workloads in a project are isolated within that project. They cannot communicate with external services and workloads without configuring a network policy.
To set a network policy for your project namespace
in GDC, use the ProjectNetworkPolicy resource. This resource
lets you define policies, which allow communication within projects,
between projects, to external IP addresses, and from external IP addresses. Also, you can transfer workloads out from a project only if you disable data exfiltration protection for the project.
GDC project network policies are additive. The resulting enforcement for a workload is an any match for the traffic flow against the union of all policies applied to that workload. When multiple policies are present, the rules for each policy are additively combined, allowing traffic if it matches at least one of the rules.
Furthermore, after you apply a single policy, all traffic you don't specify is denied. Therefore, when you apply one or more policies that select a workload as the subject, only the traffic that a policy specifies is allowed.
When you use a well-known IP address you allocate for the project, it performs a source network address translation (NAT) on the outbound traffic from the organization.
Workload-level network policies
You can create workload-level network policies to define fine-grained access control for individual VMs and pods within a project. These policies act like firewalls for your workloads, controlling traffic flow based on labels to enhance security and isolate applications. This granularity allows stricter control over which workloads can communicate with each other within and across projects.
Prepare predefined roles and access
To configure project network policies, you must have the necessary identity and access roles:
- Project NetworkPolicy Admin: manages project network policies in the project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (
project-networkpolicy-admin) cluster role.