Replace MANAGEMENT_API_SERVER_ENDPOINT with the endpoint of the
Management API server.
Discovery document
Use the kubectl proxy --port=8001 command to open a proxy to the API server on
your local machine. From there, you can access the discovery document at
the following URLs:
The following is an example of a ProjectNetworkPolicy object that enables workloads in the project-1 project to permit connections from workloads in the project-2 project, as well as the return traffic for the same flows:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe Networking API utilizes Kubernetes custom resources and the Kubernetes Resource Model (KRM) for managing networking in Google Distributed Cloud (GDC) air-gapped.\u003c/p\u003e\n"],["\u003cp\u003eNetworking APIs are available in two packages, supporting zonal and global deployments respectively.\u003c/p\u003e\n"],["\u003cp\u003eThe API endpoints for zonal and global Networking APIs are \u003ccode\u003ehttps://<var>MANAGEMENT_API_SERVER_ENDPOINT</var>/apis/networking.gdc.goog/v1\u003c/code\u003e and \u003ccode\u003ehttps://<var>MANAGEMENT_API_SERVER_ENDPOINT</var>/apis/networking.global.gdc.goog/v1\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eYou can access the discovery document using \u003ccode\u003ekubectl proxy --port=8001\u003c/code\u003e, and find it at \u003ccode\u003ehttp://127.0.0.1:8001/apis/networking.gdc.goog/v1\u003c/code\u003e and \u003ccode\u003ehttp://127.0.0.1:8001/apis/networking.global.gdc.goog/v1\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eProjectNetworkPolicy\u003c/code\u003e objects can be defined to allow traffic between different projects, as seen in the example for allowing ingress traffic from \u003ccode\u003eproject-2\u003c/code\u003e to \u003ccode\u003eproject-1\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Overview of Networking API\n\nThe Networking API uses Kubernetes custom resources and relies on\nthe Kubernetes Resource Model (KRM).\n\nCreate and manage networking in Google Distributed Cloud (GDC) air-gapped through the Networking API using the `kubectl` CLI.\n\nService endpoint\n----------------\n\nThe Networking APIs are provided in two packages depending on zonal deployment\nor global deployment.\n\nThe API endpoints for the zonal and global Networking APIs are the following,\nrespectively:\n\n- `https://`\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/networking.gdc.goog/v1`\n- `https://`\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/networking.global.gdc.goog/v1`\n\nReplace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e with the endpoint of the\nManagement API server.\n\nDiscovery document\n------------------\n\nUse the `kubectl proxy --port=8001` command to open a proxy to the API server on\nyour local machine. From there, you can access the discovery document at\nthe following URLs:\n\n- `http://127.0.0.1:8001/apis/networking.gdc.goog/v1`\n- `http://127.0.0.1:8001/apis/networking.global.gdc.goog/v1`\n\nExample ingress cross-project traffic policy\n--------------------------------------------\n\nThe following is an example of a `ProjectNetworkPolicy` object that enables workloads in the `project-1` project to permit connections from workloads in the `project-2` project, as well as the return traffic for the same flows: \n\n apiVersion: networking.gdc.goog/v1\n kind: ProjectNetworkPolicy\n metadata:\n namespace: project-1\n name: allow-ingress-traffic-from-project-2\n spec:\n policyType: Ingress\n subject:\n subjectType: UserWorkload\n ingress:\n - from:\n - projects:\n matchNames:\n - project-2"]]