Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini menjelaskan tindakan konektivitas keluar yang harus Anda lakukan pada mesin virtual (VM) atau pod dalam project agar workload dapat keluar dari organisasi. Prosedur ini menunjukkan cara menambahkan label yang diperlukan ke deployment untuk mengaktifkan traffic keluar secara eksplisit dan memungkinkan beban kerja berkomunikasi di luar organisasi.
Secara default, Google Distributed Cloud (GDC) dengan air gap memblokir workload dalam project agar tidak keluar dari organisasi. Workload dapat keluar dari organisasi jika Administrator Platform (PA) Anda telah menonaktifkan perlindungan eksfiltrasi data untuk project. Selain menonaktifkan perlindungan eksfiltrasi data, Operator Aplikasi (AO) harus menambahkan label egress.networking.gke.io/enabled: true pada workload pod untuk mengaktifkan konektivitas keluar bagi pod tersebut. Saat Anda mengalokasikan dan menggunakan alamat IP terkenal untuk project, alamat IP tersebut akan melakukan terjemahan alamat jaringan (NAT) sumber pada traffic keluar dari organisasi.
Anda dapat mengelola konektivitas keluar dari workload di pod atau VM.
Mengelola traffic keluar dari workload dalam pod
Untuk mengonfigurasi workload dalam pod untuk konektivitas keluar, pertama-tama Anda harus memastikan perlindungan eksfiltrasi data dinonaktifkan untuk project. Kemudian, pastikan label egress.networking.gke.io/enabled: true ditambahkan di pod. Jika Anda menggunakan konstruksi tingkat yang lebih tinggi seperti konstruksi Deployment atau Daemonset untuk mengelola kumpulan pod, Anda harus mengonfigurasi label pod dalam spesifikasi tersebut.
Contoh berikut menunjukkan cara membuat Deployment dari file manifesnya. File contoh berisi nilai egress.networking.gke.io/enabled: true di kolom labels untuk mengaktifkan traffic keluar dari project secara eksplisit. Label ini ditambahkan ke setiap pod dalam deployment dan memungkinkan beban kerja di pod keluar dari organisasi.
kubectl--kubeconfigUSER_CLUSTER_KUBECONFIG\apply-f-<<EOF
apiVersion:apps/v1
kind:Deployment
metadata:
name:DEPLOYMENT_NAME
spec:
replicas:NUMBER_OF_REPLICASselector:
matchLabels:
run:APP_NAMEtemplate:
metadata:
labels:# The labels given to each pod in the deployment, which are used# to manage all pods in the deployment.run:APP_NAMEegress.networking.gke.io/enabled:truespec:# The pod specification, which defines how each pod runs in the deployment.containers:
-name:CONTAINER_NAMEimage:CONTAINER_IMAGE
EOF
Ganti kode berikut:
USER_CLUSTER_KUBECONFIG: file kubeconfig untuk
cluster pengguna tempat Anda men-deploy workload container.
DEPLOYMENT_NAME: file kubeconfig untuk cluster pengguna tempat Anda men-deploy workload container.
APP_NAME: nama aplikasi yang akan dijalankan dalam
deployment.
NUMBER_OF_REPLICAS: jumlah objek Pod
replika yang dikelola deployment.
CONTAINER_NAME: nama container.
CONTAINER_IMAGE: nama image container. Anda
harus menyertakan jalur registry container dan versi image, seperti
REGISTRY_PATH/hello-app:1.0.
Untuk mengonfigurasi beban kerja di VM untuk konektivitas keluar, Anda dapat menggunakan konsol GDC untuk konfigurasi VM atau membuat resource VirtualMachineExternalAccess. Untuk mengetahui informasi tentang cara mengaktifkan VM dengan akses eksternal untuk transfer data, lihat Mengaktifkan akses eksternal di bagian Menghubungkan ke VM.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eGoogle Distributed Cloud (GDC) air-gapped environments block workloads from exiting the organization by default, but this can be overridden by a Platform Administrator (PA) disabling data exfiltration protection for a specific project.\u003c/p\u003e\n"],["\u003cp\u003eTo enable outbound traffic for workloads in a pod, an Application Operator (AO) must add the label \u003ccode\u003eegress.networking.gke.io/enabled: true\u003c/code\u003e to the pod, and this label can also be added to higher-level constructs like \u003ccode\u003eDeployment\u003c/code\u003e or \u003ccode\u003eDaemonset\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring egress connectivity for pods also requires ensuring data exfiltration protection is disabled for the project.\u003c/p\u003e\n"],["\u003cp\u003eWorkloads in a VM can also have egress connectivity using the GDC console for VM configuration or create a \u003ccode\u003eVirtualMachineExternalAccess\u003c/code\u003e resource.\u003c/p\u003e\n"]]],[],null,["# Manage outbound traffic from workloads\n\nThis page describes egress connectivity actions you must take on a virtual machine (VM) or pod in a project to let workloads go out of the organization. The procedure shows how to add a required label to deployments to explicitly enable outbound traffic and let workloads communicate outside of the organization.\n\nBy default, Google Distributed Cloud (GDC) air-gapped blocks workloads in a project from going out of the organization. Workloads can exit the organization if your Platform Administrator (PA) has disabled data exfiltration protection for the project. In addition to disabling data exfiltration protection, the Application Operator (AO) must add the label `egress.networking.gke.io/enabled: true` on the pod workload to enable egress connectivity for that pod. When you allocate and use a well-known IP address for the project, it performs a source network address translation (NAT) on the outbound traffic from the organization.\n\nYou can manage egress connectivity from workloads in a [pod](#egress-pod) or a [VM](#egress-vm).\n\nManage outbound traffic from workloads in a pod\n-----------------------------------------------\n\nTo configure workloads in a pod for egress connectivity, first you must ensure [data exfiltration protection is disabled for the project](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/configure-pnp#disable-data-exfiltration-protection). Then, ensure that the `egress.networking.gke.io/enabled: true` label is added on the pod. If you are using a higher-level construct like `Deployment` or `Daemonset` constructs to manage sets of pods, then you must configure the pod label in those specifications.\n\nThe following example shows how to create a `Deployment` from its manifest file. The sample file contains the value `egress.networking.gke.io/enabled: true` on the `labels` field to explicitly enable outbound traffic from the project. This label is added to each pod in the deployment and allows workloads in the pods to exit the organization. \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e \\\n apply -f - \u003c\u003cEOF\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: \u003cvar translate=\"no\"\u003eDEPLOYMENT_NAME\u003c/var\u003e\n spec:\n replicas: \u003cvar translate=\"no\"\u003eNUMBER_OF_REPLICAS\u003c/var\u003e\n selector:\n matchLabels:\n run: \u003cvar translate=\"no\"\u003eAPP_NAME\u003c/var\u003e\n template:\n metadata:\n labels: # The labels given to each pod in the deployment, which are used\n # to manage all pods in the deployment.\n run: \u003cvar translate=\"no\"\u003eAPP_NAME\u003c/var\u003e\n egress.networking.gke.io/enabled: true\n spec: # The pod specification, which defines how each pod runs in the deployment.\n containers:\n - name: \u003cvar translate=\"no\"\u003eCONTAINER_NAME\u003c/var\u003e\n image: \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE\u003c/var\u003e\n EOF\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eUSER_CLUSTER_KUBECONFIG\u003c/var\u003e: the kubeconfig file for the\n user cluster to which you're deploying container workloads.\n\n- \u003cvar translate=\"no\"\u003eDEPLOYMENT_NAME\u003c/var\u003e: the kubeconfig file for the user\n cluster to which you're deploying container workloads.\n\n- \u003cvar translate=\"no\"\u003eAPP_NAME\u003c/var\u003e: the name of the application to run within\n the deployment.\n\n- \u003cvar translate=\"no\"\u003eNUMBER_OF_REPLICAS\u003c/var\u003e: the number of replicated `Pod`\n objects that the deployment manages.\n\n- \u003cvar translate=\"no\"\u003eCONTAINER_NAME\u003c/var\u003e: the name of the container.\n\n- \u003cvar translate=\"no\"\u003eCONTAINER_IMAGE\u003c/var\u003e: the name of the container image. You\n must include the container registry path and version of the image, such as\n \u003cvar class=\"readonly\" translate=\"no\"\u003eREGISTRY_PATH\u003c/var\u003e`/hello-app:1.0`.\n\nFor example: \n\n apiVersion: apps/v1\n kind: Deployment\n metadata:\n name: my-app\n spec:\n replicas: 3\n selector:\n matchLabels:\n run: my-app\n template:\n metadata:\n labels:\n run: my-app\n egress.networking.gke.io/enabled: true\n spec:\n containers:\n - name: hello-app\n image: \u003cvar class=\"readonly\" translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eREGISTRY_PATH\u003c/span\u003e\u003c/var\u003e/hello-app:1.0\n\nManage outbound traffic from workloads in a VM\n----------------------------------------------\n\nTo configure workloads in a VM for egress connectivity, you can use the GDC console for VM configuration or create a `VirtualMachineExternalAccess` resource. For information about how to enable a VM with external access for data transfer, see [Enable external access](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vms/connect-to-vm/ip-addresses#enable-external-access) on the *Connect to VMs* section."]]