Organization policy constraints for Cloud Load Balancing

This page provides supplemental information about organization policy constraints that apply to Cloud Load Balancing. Use organization policy constraints to enforce load balancer settings across an entire project, folder, or organization.

Use an organization policy to restrict the Cloud Load Balancing types that can be created in your organization. Set the following organization policy constraint:

constraints/compute.restrictLoadBalancerCreationForTypes

When you set the compute.restrictLoadBalancerCreationForTypes constraint, you specify the Cloud Load Balancing types that are disallowed. For a list of available types, see Restrict load balancer creation.

Setting up an organization policy

Permissions required for this task

To perform this task, you must have the following permissions:

resourcemanager.organizationAdmin role. For more information see,Access control for organizations using IAM.
To learn more about managing policies at the organization level, see Add an organization policy administrator.

Console

To set the Cloud Load Balancing organization policy from the console, complete the following steps:

In the Google Cloud Console, go to the Organization policies page.
Go to the Organization policies page
In the Filter field, type load and select constraints/compute.restrictLoadBalancerCreationForTypes.
Click Restrict Load Balancer Creation Based on Load Balancer Types.
Click Edit to edit your existing Cloud Load Balancing policy constraints.
To create a custom policy, select Customize.
After making any changes, click Save to apply the constraint settings.

gcloud

To set the OS Login organization policy, use the gcloud resource-manager org-policies enable-enforce command.

Find your organization ID.
```
gcloud organizations list
```

Create the policy file, as shown in the following examples.

List the values to be denied

{
 "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
 "listPolicy": {
   "deniedValues": [
     "INTERNAL_TCP_UDP",
     "INTERNAL_HTTP_HTTPS",
     "EXTERNAL_NETWORK_TCP_UDP",
     "EXTERNAL_TCP_PROXY",
     "EXTERNAL_SSL_PROXY",
     "EXTERNAL_HTTP_HTTPS"
   ]
 }
}

Deny all external load balancers

{
 "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
 "listPolicy": {
   "deniedValues": [
     "EXTERNAL"
   ]
 }
}

Deny all load balancers

{
  "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes",
  "listPolicy": {
    "allValues": "DENY"
  }
}

Set the constraint in your organization. Replace ORGANIZATION_ID with your organization ID.
```
gcloud resource-manager org-policies set-policy POLICY_FILE \
    --organization=ORGANIZATION_ID
```
You can also apply the OS Login organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

For folders, run the following command:
```
gcloud resource-manager org-policies set-policy POLICY_FILE \
    --folder=FOLDER_ID
```
For projects, run the following command:
```
gcloud resource-manager org-policies set-policy POLICY_FILE \
    --project=PROJECT_ID
```
Replace the following:
- FOLDER_ID: Your folder ID.
- PROJECT_ID: Your project ID.

After you set the policy, the policy is enforced when adding the respective Google Cloud forwarding rules.

The constraint is not enforced on existing Cloud Load Balancing configurations.

If you attempt to create Cloud Load Balancing of a type that violates the constraint, the attempt fails and an error message is generated. The error message has the following format:

Constraint constraints/compute.restrictLoadBalancerCreationForTypes
violated for projects/PROJECT_NAME. Forwarding Rule projects/PROJECT_NAME/region/REGION/forwardingRules/FORWARDING_RULE_NAME
of type SCHEME is not allowed.

If you set multiple restrictLoadBalancerCreationForTypes constraints at different resource levels, they are enforced hierarchically. For this reason, we recommended that you set the inheritFromParent field to true, which ensures that policies at higher layers are also considered.

To learn more about setting organization policies, including descriptions of the available options, see Creating and managing organization policies and Using constraints.

GKE error messages

If you are using Google Kubernetes Engine (GKE) Service and Ingress objects, using this org policy to restrict load balancer creation results in an error message similar to the following:

Warning  Sync    28s   loadbalancer-controller  Error during sync: error running
load balancer syncing routine: loadbalancer FORWARDING_RULE_NAME
does not exist: googleapi: Error 412:
Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for
projects/PROJECT_ID. Forwarding Rule
projects/PROJECT_ID/global/forwardingRules/FORWARDING_RULE_NAME
of type LOAD_BALANCER_TYPE is not allowed, conditionNotMet

You can view GKE error messages by running the following commands:

kubectl get events -w

kubectl describe RESOURCE_KIND NAME

Replace the following:

RESOURCE_KIND: the kind of load balancer, ingress or service
NAME: the name of the load balancer

What's next

Learn about the resource hierarchy that applies to organization policies.
See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud Console.
See Using constraints for instructions on working with constraints and organization policies in gcloud.
See the Resource Manager API reference documentation for relevant API methods, such as projects.setOrgPolicy.