Restricting Cloud Interconnect usage

This document describes how to restrict the set of VPC networks that can use Cloud Interconnect.

Overview

By default, any VPC network can use Cloud Interconnect. To control which VPC networks can use Cloud Interconnect, you can set an organization policy. For general information about organization policies, see Introduction to the Organization Policy Service.

Connecting a VPC network to your on-premises network with Cloud Interconnect requires a VLAN attachment. An organization policy for restricting Cloud Interconnect usage allows or denies the creation of VLAN attachments from specified VPC networks. You can set a policy that allows or denies the creation of VLAN attachments from a specific VPC network or all VPC networks in a project, folder, or organization resource.

You can use the following constraints when defining your policy:

  • constraints/compute.restrictDedicatedInterconnectUsage
    This constraint defines the set of VPC networks that you can use when creating a VLAN attachment using Dedicated Interconnect.
  • constraints/compute.restrictPartnerInterconnectUsage
    This constraint defines the set of VPC networks that you can use when creating a VLAN attachment using Partner Interconnect.

When you set an organization policy, it only constrains the creation of VLAN attachments in the future. The policy does not affect previously created VLAN attachments.

If a user attempts to create a VLAN attachment that violates an organization policy, they will see an error message. See the following example error message from running gcloud compute interconnects attachments partner create:

ERROR: (gcloud.compute.interconnects.attachments.partner.create) Could not fetch resource:
- Constraint constraints/compute.restrictPartnerInterconnectUsage violated for projects/example-project. projects/example-project/global/networks/example-network is not allowed to use the Partner Interconnect.

Setting organization policies

This section includes example procedures for setting organization policies to restrict Cloud Interconnect usage.

For more information, including general procedures for setting organization policies, see the following:

Before you begin

You must have the orgpolicy.policyAdmin role to set organization policies. For more information, see Access control for organizations using IAM.

Setting a policy to deny a specific VPC network

To set a policy to deny a specific VPC network from using Cloud Interconnect:

  1. Find your organization ID by entering the following command:

    gcloud organizations list

    The command output looks like the following example.

    DISPLAY NAME             ID
    example-organization     29252605212
    
  2. Create a JSON file that defines your policy. The following example JSON defines a policy that prevents network-1 in project-1 from using Dedicated Interconnect.

    {
      "Constraint": "constraints/compute.restrictDedicatedInterconnectUsage",
      "listPolicy": {
        "deniedValues": [
          "projects/project-1/global/networks/network-1"
      ]
     }
    }
    
  3. Use the gcloud Resource Manager set-policy command to set the organization policy:

    gcloud resource-manager org-policies set-policy JSON_FILE --organization=ORGANIZATION_ID

    Replace the following values:

    • JSON_FILE is the name of the JSON file that you created in the previous step, such as my-policy.json.

    • ORGANIZATION_ID is the ID of the organization you found previously.

Setting a policy to deny all VPC networks

To set a policy to deny all VPC networks from using Cloud Interconnect:

  1. Find your organization ID by entering the following command:

    gcloud organizations list

    The command output looks like the following example.

    DISPLAY NAME             ID
    example-organization     29252605212
    
  2. Create a JSON file that defines your policy. The following example JSON defines a policy that prevents all VPC networks from using Dedicated Interconnect.

    {
      "Constraint": "constraints/compute.restrictDedicatedInterconnectUsage",
      "listPolicy": {
        "allValues": "DENY"
       }
    }
    
  3. Use the gcloud Resource Manager set-policy command to set the organization policy:

    gcloud resource-manager org-policies set-policy JSON_FILE --organization=ORGANIZATION_ID

    Replace the following values:

    • JSON_FILE is the name of the JSON file that you created in the previous step, such as my-policy.json.

    • ORGANIZATION_ID is the ID of the organization you found previously.

Setting a policy at the organization, folder, or project level

The previous examples in this section describe how to deny a specific VPC network or all VPC networks. You can also allow or deny VPC networks at the organization, project, or folder level by using the syntax described in the List constraints section of the Understanding constraints document.