Configure traffic between projects

Services and workloads in a project are isolated from external services and workloads by default. However, services and workloads from different project namespaces and within the same organization can communicate with each other by applying cross-project traffic network policies.

Similarly, connecting services and workloads to a destination outside of your project in a different organization requires explicit approval. You must disable data exfiltration protection to allow cross-organization traffic.

Ingress and egress firewall rules are the main components of project network policies and determine which types of traffic are allowed in and out of your network. To set firewall rules for your project namespace in Google Distributed Cloud (GDC) air-gapped, use the GDC console.

Disable data exfiltration protection

By default, a project has data exfiltration protection enabled. The following are the default policies for a project with data exfiltration protection enabled:

  • Allow inbound traffic only from the same project. All other traffic is denied.
  • Allow outbound traffic to all destinations within the same organization. All other traffic is denied, which means that external traffic outside your organization is denied.

With data exfiltration protection enabled, you cannot create ProjectNetworkPolicy resources for outbound traffic.

If you disable data exfiltration protection by unchecking the corresponding checkbox in the GDC console for a project, the default policies for the project are the following:

  • Allow inbound traffic only from the same project. All other traffic is denied.
  • Allow outbound traffic to all destinations, including external projects from other organizations.

Work through the following steps to disable data exfiltration protection for a project:

  1. In the GDC console, go to Projects in the navigation menu.
  2. Click the name of the project where you want to disable data exfiltration protection.
  3. Click the Edit button on the Data exfiltration protection field.
  4. On the Edit data exfiltration protection page, clear the Enable data exfiltration protection checkbox.
  5. Click Save. The Data exfiltration protection field changes its value to Disabled.

You must create ProjectNetworkPolicy egress policies for your projects to restrict the outbound traffic. For more information, see Configure and view project network policies.

Cross-project traffic

Cross-project traffic refers to the communication between services and workloads from different project namespaces but within the same organization.

Create an ingress firewall rule for cross-project traffic

For project workloads or services to allow connections from other workloads in another project within your organization, you must configure an ingress firewall rule to allow the inbound traffic of other project workloads.

Work through the following steps to create a new firewall rule and allow inbound traffic from workloads in another project:

  1. Within the GDC console of the project you are configuring, go to Networking > Firewall in the navigation menu to open the Firewall page.
  2. Click Create in the action bar to begin creating a new firewall rule.
  3. On the Firewall rule details page, fill out the following information:

    1. In the Name field, enter a valid name for your firewall rule.
    2. In the Direction of traffic section, select Ingress to allow inbound traffic from workloads in other projects.
    3. In the Target section, select one of the following options:
      • All user workloads: allow connections to the workloads of the project you are configuring.
      • Service: indicate that this firewall rule targets a specific service within the project you are configuring.
    4. If your target is a project service, select the name of the service from the list of available services on the Service drop-down menu.
    5. In the From section, select one of the following two options:
      • All projects: allow connections from workloads in all the projects of the same organization.
      • Another project and All user workloads: allow connections from workloads in another project of the same organization.
    6. If you want to transfer workloads only from another project, select a project that you can access from the list of projects on the Project ID drop-down menu.
    7. If your target is all user workloads, select one of the following options in the Protocols and ports section:
      • Allow all: allow connections using any protocol or port.
      • Specified protocols and ports: allow connections using only the protocols and ports that you specify in the corresponding fields for the ingress firewall rule.
  4. On the Firewall rule details page, click Create.

You've now permitted connections from other project workloads within the same organization. After creating the firewall rule, the rule is visible in a table on the Firewall page.

Create an egress firewall rule for cross-project traffic

When you grant an ingress cross-project traffic policy to let workloads in one project to allow connections from workloads in another project, this action also grants the return traffic for the same flows. Therefore, you don't need an egress cross-project traffic network policy in the original project.

For example, if you create a policy allowing traffic from PROJECT_1 to PROJECT_2 and data exfiltration protection is disabled, you must create an ingress policy in PROJECT_2 and an egress policy on PROJECT_1. However, the reply packets are excluded from the policy enforcement, so you don't require any additional policies.

Work through the following steps to create a new firewall rule and allow outbound traffic from workloads in a project:

  1. Within the GDC console of the project you are configuring, go to Networking > Firewall in the navigation menu to open the Firewall page.
  2. Click Create in the action bar to begin creating a new firewall rule.
  3. On the Firewall rule details page, fill out the following information:

    1. In the Name field, enter a valid name for your firewall rule.
    2. In the Direction of traffic section, select Egress to indicate that this firewall rule is controlling outbound traffic.
    3. In the Target section, select one of the following options:
      • All user workloads: allow connections from the workloads of the project you are configuring.
      • Service: indicate that this firewall rule targets a specific service within the project you are configuring.
    4. If your target is a project service, select the name of the service from the list of available services on the Service drop-down menu.
    5. In the To section, select one of the following two options:
      • All projects: allow connections to workloads in all the projects of the same organization.
      • Another project and All user workloads: allow connections to workloads in another project of the same organization.
    6. If you want to transfer workloads only to another project, select a project that you can access from the list of projects on the Project ID drop-down menu.
    7. If your target is all user workloads, select one of the following options in the Protocols and ports section:
      • Allow all: allow connections using any protocol or port.
      • Specified protocols and ports: allow connections using only the protocols and ports that you specify in the corresponding fields for the egress firewall rule.
  4. On the Firewall rule details page, click Create.

You've now permitted connections to other project workloads within the same organization. After creating the firewall rule, the rule is visible in a table on the Firewall page.

Cross-organization traffic

Cross-organization traffic refers to the communication between services and workloads from different organizations.

Create an ingress firewall rule for cross-organization traffic

For project workloads or services to allow connections from workloads in another project of a different organization, you must configure an ingress firewall rule to allow inbound traffic from the other project workloads.

Work through the following steps to create a new firewall rule and allow inbound traffic from workloads in a project of a different organization:

  1. Within the GDC console of the project you are configuring, go to Networking > Firewall in the navigation menu to open the Firewall page.
  2. Click Create in the action bar to begin creating a new firewall rule.
  3. On the Firewall rule details page, fill out the following information:

    1. In the Name field, enter a valid name for your firewall rule.
    2. In the Direction of traffic section, select Ingress to allow inbound traffic from workloads in other organizations.
    3. In the Target section, select one of the following options:
      • All user workloads: allow connections to the workloads of the project you are configuring.
      • Service: indicate that this firewall rule targets a specific service within the project you are configuring.
    4. If your target is a project service, select the name of the service from the list of available services on the Service drop-down menu.
    5. In the From section, select Outside the organization and enter the CIDR block of another organization in the CIDR field to allow connections from that organization's network.
    6. If your target is all user workloads, select one of the following options in the Protocols and ports section:
      • Allow all: allow connections using any protocol or port.
      • Specified protocols and ports: allow connections using only the protocols and ports that you specify in the corresponding fields for the ingress firewall rule.
  4. On the Firewall rule details page, click Create.

You've now permitted connections from project workloads of a different organization. After creating the firewall rule, the rule is visible in a table on the Firewall page.

Create an egress firewall rule for cross-organization traffic

To let data transfer to services outside of the organization, you must configure an egress firewall rule to allow outbound traffic from your project workloads or services.

Work through the following steps to create a new firewall rule and allow outbound traffic from project workloads or services to workloads in another organization:

  1. Within the GDC console of the project you are configuring, go to Networking > Firewall in the navigation menu to open the Firewall page.
  2. Click Create in the action bar to begin creating a new firewall rule.
  3. On the Firewall rule details page, fill out the following information:

    1. In the Name field, enter a valid name for your firewall rule.
    2. In the Direction of traffic section, select Egress to indicate that this firewall rule is controlling outbound traffic.
    3. In the Target section, select one of the following options:
      • All user workloads: allow connections from the workloads of the project you are configuring.
      • Service: indicate that this firewall rule targets a specific service within the project you are configuring.
    4. If your target is a project service, select the name of the service from the list of available services on the Service drop-down menu.
    5. In the To section, select Outside the organization and enter the CIDR block of another organization in the CIDR field to allow connections to that organization's network.
    6. If your target is all user workloads, select one of the following options in the Protocols and ports section:
      • Allow all: allow connections using any protocol or port.
      • Specified protocols and ports: allow connections using only the protocols and ports that you specify in the corresponding fields for the egress firewall rule.
  4. On the Firewall rule details page, click Create.

You've now permitted connections to another organization. After creating the firewall rule, the rule is visible in a table on the Firewall page.