Mantieni tutto organizzato con le raccolte
Salva e classifica i contenuti in base alle tue preferenze.
Un criterio di rete dell'organizzazione definisce il controllo dell'accesso alla rete per i servizi gestiti a livello di organizzazione esposti tramite Google Distributed Cloud (GDC) air-gapped. Puoi definire questi controlli dell'accesso utilizzando la risorsa
OrganizationNetworkPolicy
dell'API Networking.
Per ottenere le autorizzazioni necessarie per configurare la policy di rete dell'organizzazione, chiedi all'amministratore di Identity and Access Management (IAM) dell'organizzazione di concederti il ruolo Amministratore policy di rete dell'organizzazione (org-network-policy-admin).
Puoi definire un criterio di rete dell'organizzazione per i controlli dell'accesso per i seguenti servizi gestiti da GDC:
Per impostazione predefinita, i seguenti servizi gestiti GDC hanno i seguenti principi:
Servizio GDC
Principio
Tutti i servizi
allow-all
Console GDC
allow-all
interfaccia a riga di comando gcloud
allow-all
Server API globale
deny-by-default
KMS
deny-by-default
Archiviazione di oggetti
deny-by-default
Vertex AI e servizi supportati
deny-by-default
Esempio di policy di rete dell'organizzazione
Di seguito è riportato un esempio di risorsa OrganizationNetworkPolicy che
consente al traffico proveniente da un indirizzo IP di accedere a un servizio gestito GDC.
Il percorso kubeconfig del server API zonale. Se non hai ancora generato un file kubeconfig per il server API nella zona di destinazione, consulta Accedi per i dettagli.
POLICY_NAME
Il nome da assegnare al criterio.
Ad esempio, allow-ui-access.
SERVICE_NAME
Il nome del servizio a cui applicare il criterio. Utilizza i seguenti valori per ogni servizio:
Tutti i servizi: all
Console GDC: ui-console
Interfaccia a riga di comando gcloud: api-server
Server API globale: global-api-server
KMS: kms
Archiviazione di oggetti: object-storage
Vertex AI: ai
IP_ADDRESS
L'indirizzo IP per consentire l'accesso. Ad esempio, 10.251.0.0/24. Puoi anche aggiungere più indirizzi IP definendo più di un campo ipBlock per ogni indirizzo IP.
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-04 UTC."],[[["\u003cp\u003eAn Organization Network Policy in Google Distributed Cloud (GDC) air-gapped defines network access controls for organization-level managed services, managed via the \u003ccode\u003eOrganizationNetworkPolicy\u003c/code\u003e resource in the Networking API.\u003c/p\u003e\n"],["\u003cp\u003eThe Org Network Policy Admin (\u003ccode\u003eorg-network-policy-admin\u003c/code\u003e) role is required to configure the organization network policy.\u003c/p\u003e\n"],["\u003cp\u003eGDC managed services such as the GDC console, Distributed Cloud CLI, Global API server, KMS, Object storage, and Vertex AI can have organization network policies defined for them.\u003c/p\u003e\n"],["\u003cp\u003eBy default, the Global API server, KMS, Object storage, and Vertex AI services have a \u003ccode\u003edeny-by-default\u003c/code\u003e principle, while other services like GDC console and the Distributed Cloud CLI are \u003ccode\u003eallow-all\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eAn \u003ccode\u003eOrganizationNetworkPolicy\u003c/code\u003e resource example is provided that demonstrates how to allow traffic from specified IP addresses to access a designated GDC managed service, using variables like \u003ccode\u003eMANAGEMENT_API_SERVER\u003c/code\u003e, \u003ccode\u003ePOLICY_NAME\u003c/code\u003e, \u003ccode\u003eSERVICE_NAME\u003c/code\u003e, and \u003ccode\u003eIP_ADDRESS\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Create organization network policies\n\nAn organization network policy defines the network access control for\norganization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the\n[`OrganizationNetworkPolicy`](/distributed-cloud/hosted/docs/latest/gdch/apis/service/networking/v1/networking-v1#organizationnetworkpolicy)\nresource from the\n[Networking API](/distributed-cloud/hosted/docs/latest/gdch/apis/service/networking/networking-api-overview).\n\nTo get the permissions you need to configure the organization network policy,\nask your Organization Identity and Access Management (IAM) Admin to grant you the Org\nNetwork Policy Admin (`org-network-policy-admin`) role.\n\nYou can define an organization network policy for access controls for the\nfollowing GDC managed services:\n\n- All services\n- GDC console\n- [Distributed Cloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview)\n- [Global API server](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers)\n- [Key Management Systems (KMS)](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/kms/kms)\n- [Object storage](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/storage#object_storage)\n- [Vertex AI](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vertex-pre-trained-apis)\n - Services within Vertex AI that a policy supports include the [Optical Character Recognition API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-ocr), [Speech-to-Text API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-stt), [Translation API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-translation), and [Workbench](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-workbench-intro).\n\nDefault policy\n--------------\n\nBy default, the following GDC managed services have\nthe following principles:\n\nExample organization network policy\n-----------------------------------\n\nThe following is an example of an `OrganizationNetworkPolicy` resource that\nallows traffic from an IP address to access a GDC\nmanaged service. \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: OrganizationNetworkPolicy\n metadata:\n name: \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e\n namespace: platform\n spec:\n subject:\n services:\n matchTypes:\n - \"\u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e\"\n ingress:\n - from:\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003eIP_ADDRESS\u003c/var\u003e\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003eIP_ADDRESS\u003c/var\u003e\n EOF\n\nReplace the following variables:"]]
