This page explains how to configure ingress and egress policies for your VPC Service Controls perimeter.
Ingress and egress policies can be configured for existing perimeters or included when a perimeter is created.
Updating ingress and egress policies for a service perimeter
Console
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
Select an existing service perimeter.
Click Edit perimeter
In left menu, click Ingress policy or Egress policy.
Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.
- For a list of ingress rule attributes, see Ingress rules reference.
- For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
Click Save.
gcloud
To update a perimeter policy, run one of the following commands replacing variables with appropriate values:
gcloud access-context-manager perimeters update PERIMETER_NAME --set-ingress-policies=INGRESS-FILENAME.yaml gcloud access-context-manager perimeters update PERIMETER_NAME --set-egress-policies=EGRESS-FILENAME.yaml
For example:
gcloud access-context-manager perimeters update my-perimeter --set-ingress-policies=my-ingress-rule.yaml
Setting ingress and egress policies during perimeter creation
Console
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
Click New perimeter.
In left menu, click Ingress policy or Egress policy.
Click Add rule.
Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.
- For a list of ingress rule attributes, see Ingress rules reference.
- For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
Click Create perimeter.
gcloud
Run the following command during the creation of a perimeter to create an ingress/egress policy:
gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --ingress-policies=INGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT" gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --egress-policies=-EGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT"
For example:
gcloud access-context-manager perimeters create my-perimeter --title=perimeter-for-project-1 --ingress-policies=my-ingress-rule.yaml --restricted-services=storage.googelapis.com --resources="projects/myproject"