Stay organized with collections
Save and categorize content based on your preferences.
An organization network policy defines the network access control for
organization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the
OrganizationNetworkPolicy
resource from the
Networking API.
To get the permissions you need to configure the organization network policy,
ask your Organization Identity and Access Management (IAM) Admin to grant you the Org
Network Policy Admin (org-network-policy-admin) role.
You can define an organization network policy for access controls for the
following GDC managed services:
The zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
POLICY_NAME
The name to give the policy.
For example, allow-ui-access.
SERVICE_NAME
The name of the service to apply the policy. Use the following values for each service:
All services: all
GDC console: ui-console
gdcloud CLI: api-server
Global API server: global-api-server
KMS: kms
Object storage: object-storage
Vertex AI: ai
.
IP_ADDRESS
The IP address to allow access. For example, 10.251.0.0/24. You can also add multiple IP addresses by defining more than one ipBlock fields for each IP address.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAn Organization Network Policy in Google Distributed Cloud (GDC) air-gapped defines network access controls for organization-level managed services, managed via the \u003ccode\u003eOrganizationNetworkPolicy\u003c/code\u003e resource in the Networking API.\u003c/p\u003e\n"],["\u003cp\u003eThe Org Network Policy Admin (\u003ccode\u003eorg-network-policy-admin\u003c/code\u003e) role is required to configure the organization network policy.\u003c/p\u003e\n"],["\u003cp\u003eGDC managed services such as the GDC console, Distributed Cloud CLI, Global API server, KMS, Object storage, and Vertex AI can have organization network policies defined for them.\u003c/p\u003e\n"],["\u003cp\u003eBy default, the Global API server, KMS, Object storage, and Vertex AI services have a \u003ccode\u003edeny-by-default\u003c/code\u003e principle, while other services like GDC console and the Distributed Cloud CLI are \u003ccode\u003eallow-all\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eAn \u003ccode\u003eOrganizationNetworkPolicy\u003c/code\u003e resource example is provided that demonstrates how to allow traffic from specified IP addresses to access a designated GDC managed service, using variables like \u003ccode\u003eMANAGEMENT_API_SERVER\u003c/code\u003e, \u003ccode\u003ePOLICY_NAME\u003c/code\u003e, \u003ccode\u003eSERVICE_NAME\u003c/code\u003e, and \u003ccode\u003eIP_ADDRESS\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Create organization network policies\n\nAn organization network policy defines the network access control for\norganization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the\n[`OrganizationNetworkPolicy`](/distributed-cloud/hosted/docs/latest/gdch/apis/service/networking/v1/networking-v1#organizationnetworkpolicy)\nresource from the\n[Networking API](/distributed-cloud/hosted/docs/latest/gdch/apis/service/networking/networking-api-overview).\n\nTo get the permissions you need to configure the organization network policy,\nask your Organization Identity and Access Management (IAM) Admin to grant you the Org\nNetwork Policy Admin (`org-network-policy-admin`) role.\n\nYou can define an organization network policy for access controls for the\nfollowing GDC managed services:\n\n- All services\n- GDC console\n- [Distributed Cloud CLI](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview)\n- [Global API server](/distributed-cloud/hosted/docs/latest/gdch/resources/multi-zone/api-servers)\n- [Key Management Systems (KMS)](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/kms/kms)\n- [Object storage](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/storage#object_storage)\n- [Vertex AI](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vertex-pre-trained-apis)\n - Services within Vertex AI that a policy supports include the [Optical Character Recognition API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-ocr), [Speech-to-Text API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-stt), [Translation API](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/quickstart-translation), and [Workbench](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/vertex-ai-workbench-intro).\n\nDefault policy\n--------------\n\nBy default, the following GDC managed services have\nthe following principles:\n\nExample organization network policy\n-----------------------------------\n\nThe following is an example of an `OrganizationNetworkPolicy` resource that\nallows traffic from an IP address to access a GDC\nmanaged service. \n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e apply -f - \u003c\u003cEOF\n apiVersion: networking.gdc.goog/v1\n kind: OrganizationNetworkPolicy\n metadata:\n name: \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e\n namespace: platform\n spec:\n subject:\n services:\n matchTypes:\n - \"\u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e\"\n ingress:\n - from:\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003eIP_ADDRESS\u003c/var\u003e\n - ipBlock:\n cidr: \u003cvar translate=\"no\"\u003eIP_ADDRESS\u003c/var\u003e\n EOF\n\nReplace the following variables:"]]
