Configuring ingress and egress policies

This page explains how to configure ingress and egress policies for your VPC Service Controls perimeter.

Ingress and egress policies can be configured for existing perimeters or included when a perimeter is created.

Updating ingress and egress policies for a service perimeter

Console

In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

Go to the VPC Service Controls page
Select an existing service perimeter.
Click Edit perimeter
In left menu, click Ingress policy or Egress policy.
Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.
- For a list of ingress rule attributes, see Ingress rules reference.
Note: If you specify "All Sources" as the value for the ingress rule source attribute, the ingress policy allows access from any network origin.
- For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
Click Save.

gcloud

To update a perimeter policy, run one of the following commands replacing variables with appropriate values:

gcloud access-context-manager perimeters update PERIMETER_NAME --set-ingress-policies=INGRESS-FILENAME.yaml

gcloud access-context-manager perimeters update PERIMETER_NAME --set-egress-policies=EGRESS-FILENAME.yaml

For example:

gcloud access-context-manager perimeters update my-perimeter --set-ingress-policies=my-ingress-rule.yaml

Setting ingress and egress policies during perimeter creation

Console

In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

Go to the VPC Service Controls page
Click New perimeter.
In left menu, click Ingress policy or Egress policy.
Click Add rule.
Designate the required From attributes of the API client and To attributes of Google Cloud resources/services that you want.
- For a list of ingress rule attributes, see Ingress rules reference.
Note: If you specify "All Sources" as the value for the ingress rule source attribute, the ingress policy allows access from any network origin.
- For a list of egress rule attributes, see Egress rules reference. The YAML attribute reference describes the same attributes that are found in the Google Cloud console, however the Google Cloud console uses slightly different names.
Click Create perimeter.

gcloud

Run the following command during the creation of a perimeter to create an ingress/egress policy:

gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --ingress-policies=INGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT"

gcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --egress-policies=-EGRESS-FILENAME.yaml --restricted-services=SERVICE --resources="projects/PROJECT"

For example:

gcloud access-context-manager perimeters create my-perimeter --title=perimeter-for-project-1 --ingress-policies=my-ingress-rule.yaml --restricted-services=storage.googelapis.com --resources="projects/myproject"