Create organization network policies

An organization network policy defines the network access control for organization-level managed services exposed through Google Distributed Cloud Hosted (GDCH). You can define these access controls using the OrganizationNetworkPolicy resource from the Networking API.

To get the permissions you need to configure the organization network policy, ask your Organization Identity and Access Management (IAM) Admin to grant you the Org Network Policy Admin (org-network-policy-admin) role.

You can define an organization network policy for access controls for the following GDCH managed services:

Default policy

By default, the following GDCH managed services have the following principles:

GDCH service Principle
GDCH console allow-all
gdcloud CLI allow-all
KMS deny-by-default
Object storage deny-by-default
Vertex AI and supported services deny-by-default

Example organization network policy

The following is an example of an OrganizationNetworkPolicy resource that allows traffic from an IP address to access a GDCH managed service.

   kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG apply -f - <<EOF
   kind: OrganizationNetworkPolicy
     name: POLICY_NAME
     namespace: platform
         - "SERVICE_NAME"
       - from:
         - ipBlock:
             cidr: IP_ADDRESS
         - ipBlock:
             cidr: IP_ADDRESS

Replace the following variables:

Variable Description
ORG_ADMIN_CLUSTER_KUBECONFIG The kubeconfig path of the org admin cluster.
POLICY_NAME The name to give the policy.

For example, allow-ui-access.
SERVICE_NAME The name of the service to apply the policy. Use the following values for each service:
  • GDCH console: ui-console
  • gdcloud CLI: api-server
  • KMS: kms
  • Object storage: object-storage
  • Vertex AI: ai
IP_ADDRESS The IP address to allow access. For example, You can also add multiple IP addresses by defining more than one ipBlock fields for each IP address.