Configuring ingress and egress policies

This page explains how to configure ingress and egress policies for your VPC Service Controls perimeter.

Ingress and egress policies can be configured for existing perimeters or included when a perimeter is created.

Updating ingress and egress policies for a service perimeter

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. Select an existing service perimeter.

  3. Click Edit perimeter

  4. In left menu, click Ingress policy or Egress policy.

  5. Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.

    • For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
  6. Click Save.

gcloud

To update a perimeter policy, run one of the following commands replacing variables with appropriate values:

gcloud access-context-manager perimeters update PERIMETER_NAME --set-ingress-policies=INGRESS-FILENAME.yaml

gcloud access-context-manager perimeters update PERIMETER_NAME --set-egress-policies=EGRESS-FILENAME.yaml

For example:

gcloud access-context-manager perimeters update my-perimeter --set-ingress-policies=my-ingress-rule.yaml

Setting ingress and egress policies during perimeter creation

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. Click New perimeter.

  3. In left menu, click Ingress policy or Egress policy.

  4. Click Add rule.

  5. Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.

    • For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
  6. Click Create perimeter.

gcloud

Run the following command during the creation of a perimeter to create an ingress/egress policy:

gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --ingress-policies=INGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT"

gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --egress-policies=-EGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT"

For example:

gcloud access-context-manager perimeters create my-perimeter --title=perimeter-for-project-1 --ingress-policies=my-ingress-rule.yaml --restricted-services=storage.googelapis.com --resources="projects/myproject"