Stay organized with collections
Save and categorize content based on your preferences.
By default, a database cluster only allows connections from within the
user cluster and the same project. To allow
connections from workloads in another project to all database clusters in your
project:
Console
Sign in to the GDC console with an account bound to the
project-networkpolicy-admin role to create firewall rules.
From the main menu of the GDC console, choose Firewall.
In the User created rules section, click Create.
In Firewall rule details, create a name for your firewall rule.
In the Direction of traffic dialog, choose INGRESS.
In the Target dialog, choose Service and then select dbs.
In the From dialog, choose Another project and select the
project ID from which you would like to allow connectivity.
Click Create.
Wait for the Status column of the new rule to show Ready.
API
Create a ProjectNetworkPolicy resource to allow connections from a client
project.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enable cross-project connections\n\nBy default, a database cluster only allows connections from within the\n[user cluster](/distributed-cloud/hosted/docs/latest/gdch/resources/resource-hierarchy#cluster) and the same project. To allow\nconnections from workloads in another project to all database clusters in your\nproject: \n\n### Console\n\n1. Sign in to the GDC console with an account bound to the `project-networkpolicy-admin` role to create firewall rules.\n2. From the main menu of the GDC console, choose **Firewall**.\n3. In the **User created rules** section, click **Create**.\n4. In **Firewall rule details**, create a name for your firewall rule.\n5. In the **Direction of traffic** dialog, choose **INGRESS**.\n6. In the **Target** dialog, choose **Service** and then select **dbs**.\n7. In the **From** dialog, choose **Another project** and select the project ID from which you would like to allow connectivity.\n8. Click **Create**.\n9. Wait for the **Status** column of the new rule to show **Ready**.\n\n### API\n\nCreate a `ProjectNetworkPolicy` resource to allow connections from a client\nproject. \n\n apiVersion: networking.gdc.goog/v1\n kind: ProjectNetworkPolicy\n metadata:\n name: dbs-allow-from-\u003cvar translate=\"no\"\u003eCLIENT_PROJECT\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eUSER_PROJECT\u003c/span\u003e\u003c/var\u003e\n spec:\n subject:\n managedServices:\n matchTypes:\n - dbs\n subjectType: ManagedService\n ingress:\n - from:\n - projects:\n matchNames:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eCLIENT_PROJECT\u003c/span\u003e\u003c/var\u003e\n policyType: Ingress\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eCLIENT_PROJECT\u003c/var\u003e: the name of the project from which you would like to allow connectivity.\n- \u003cvar translate=\"no\"\u003eUSER_PROJECT\u003c/var\u003e: the name of the user project where the database cluster was created."]]
