Create organization network policies

An organization network policy defines the network access control for organization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the OrganizationNetworkPolicy resource from the Networking API.

To get the permissions you need to configure the organization network policy, ask your Organization Identity and Access Management (IAM) Admin to grant you the Org Network Policy Admin (org-network-policy-admin) role.

You can define an organization network policy for access controls for the following GDC managed services:

All services
GDC console
Distributed Cloud CLI
Global API server
Key Management Systems (KMS)
Object storage
Vertex AI
- Services within Vertex AI that a policy supports include the Optical Character Recognition API, Speech-to-Text API, Translation API, and Workbench.

Default policy

By default, the following GDC managed services have the following principles:

GDC service	Principle
All services	`allow-all`
GDC console	`allow-all`
gdcloud CLI	`allow-all`
Global API server	`deny-by-default`
KMS	`deny-by-default`
Object storage	`deny-by-default`
Vertex AI and supported services	`deny-by-default`

Example organization network policy

The following is an example of an OrganizationNetworkPolicy resource that allows traffic from an IP address to access a GDC managed service.

   kubectl --kubeconfig MANAGEMENT_API_SERVER apply -f - <<EOF
   apiVersion: networking.gdc.goog/v1
   kind: OrganizationNetworkPolicy
   metadata:
     name: POLICY_NAME
     namespace: platform
   spec:
     subject:
       services:
         matchTypes:
         - "SERVICE_NAME"
     ingress:
       - from:
         - ipBlock:
             cidr: IP_ADDRESS
         - ipBlock:
             cidr: IP_ADDRESS
   EOF

Replace the following variables:

Variable	Description
`MANAGEMENT_API_SERVER`	The zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
`POLICY_NAME`	The name to give the policy. For example, `allow-ui-access`.
`SERVICE_NAME`	The name of the service to apply the policy. Use the following values for each service: All services: `all` GDC console: `ui-console` gdcloud CLI: `api-server` Global API server: `global-api-server` KMS: `kms` Object storage: `object-storage` Vertex AI: `ai` .
`IP_ADDRESS`	The IP address to allow access. For example, `10.251.0.0/24`. You can also add multiple IP addresses by defining more than one `ipBlock` fields for each IP address.