This page provides supplemental information about organization policy constraints that apply to Cloud Load Balancing. Use organization policy constraints to enforce load balancer settings across an entire project, folder, or organization.
Use an organization policy to restrict the Cloud Load Balancing types that can be created in your organization. Set the following organization policy constraint:
constraints/compute.restrictLoadBalancerCreationForTypes
When you set the compute.restrictLoadBalancerCreationForTypes
constraint, you specify the Cloud Load Balancing types that are disallowed. For
a list of available types, see Restrict load balancer
creation.
Setting up an organization policy
Console
To set the Cloud Load Balancing organization policy from the console, complete the following steps:
- In the Google Cloud Console, go to the Organization policies page.
- In the Filter field, type
load
and select constraints/compute.restrictLoadBalancerCreationForTypes. - Click Restrict Load Balancer Creation Based on Load Balancer Types.
- Click Edit to edit your existing Cloud Load Balancing policy constraints.
- To create a custom policy, select Customize.
- After making any changes, click Save to apply the constraint settings.
gcloud
To set the OS Login organization policy, use the
gcloud resource-manager org-policies
enable-enforce
command.
Find your organization ID.
gcloud organizations list
Create the policy file, as shown in the following examples.
List the values to be denied
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": [ "INTERNAL_TCP_UDP", "INTERNAL_HTTP_HTTPS", "EXTERNAL_NETWORK_TCP_UDP", "EXTERNAL_TCP_PROXY", "EXTERNAL_SSL_PROXY", "EXTERNAL_HTTP_HTTPS" ] } }
Deny all external load balancers
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "deniedValues": [ "EXTERNAL" ] } }
Deny all load balancers
{ "constraint": "constraints/compute.restrictLoadBalancerCreationForTypes", "listPolicy": { "allValues": "DENY" } }
Set the constraint in your organization. Replace
ORGANIZATION_ID
with your organization ID.gcloud resource-manager org-policies set-policy POLICY_FILE \ --organization=ORGANIZATION_ID
You can also apply the OS Login organization policy to a folder or a project with the
--folder
or the--project
flags, and the folder ID and project ID, respectively.For folders, run the following command:
gcloud resource-manager org-policies set-policy POLICY_FILE \ --folder=FOLDER_ID
For projects, run the following command:
gcloud resource-manager org-policies set-policy POLICY_FILE \ --project=PROJECT_ID
Replace the following:
FOLDER_ID
: Your folder ID.PROJECT_ID
: Your project ID.
After you set the policy, the policy is enforced when adding the respective Google Cloud forwarding rules.
The constraint is not enforced on existing Cloud Load Balancing configurations.
If you attempt to create Cloud Load Balancing of a type that violates the constraint, the attempt fails and an error message is generated. The error message has the following format:
Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/PROJECT_NAME. Forwarding Rule projects/PROJECT_NAME/region/REGION/forwardingRules/FORWARDING_RULE_NAME of type SCHEME is not allowed.
If you set multiple restrictLoadBalancerCreationForTypes
constraints at
different resource levels, they are enforced
hierarchically.
For this reason, we recommended that you set the inheritFromParent
field to
true
, which ensures that policies at higher layers are also considered.
To learn more about setting organization policies, including descriptions of the available options, see Creating and managing organization policies and Using constraints.
GKE error messages
If you are using Google Kubernetes Engine (GKE) Service and Ingress objects, using this org policy to restrict load balancer creation results in an error message similar to the following:
Warning Sync 28s loadbalancer-controller Error during sync: error running load balancer syncing routine: loadbalancer FORWARDING_RULE_NAME does not exist: googleapi: Error 412: Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/PROJECT_ID. Forwarding Rule projects/PROJECT_ID/global/forwardingRules/FORWARDING_RULE_NAME of type LOAD_BALANCER_TYPE is not allowed, conditionNotMet
You can view GKE error messages by running the following commands:
kubectl get events -w
kubectl describe RESOURCE_KIND NAME
Replace the following:
- RESOURCE_KIND: the kind of load balancer,
ingress
orservice
- NAME: the name of the load balancer
What's next
- Learn about the resource hierarchy that applies to organization policies.
- See Creating and managing organization policies for instructions on working with constraints and organization policies in the Google Cloud Console.
- See Using
constraints
for instructions on working with constraints and organization policies in
gcloud
. - See the Resource Manager API reference
documentation for relevant API
methods, such as
projects.setOrgPolicy
.