Create organization network policies

An organization network policy defines the network access control for organization-level managed services exposed through Google Distributed Cloud (GDC) air-gapped. You can define these access controls using the OrganizationNetworkPolicy resource from the Networking API.

To get the permissions you need to configure the organization network policy, ask your Organization Identity and Access Management (IAM) Admin to grant you the Org Network Policy Admin (org-network-policy-admin) role.

You can define an organization network policy for access controls for the following GDC managed services:

GDC console
Distributed Cloud CLI
Key Management Systems (KMS)
Object storage
Vertex AI
- Services within Vertex AI that a policy supports include the Optical Character Recognition API, Speech-to-Text API, Translation API, and Workbench.

Default policy

By default, the following GDC managed services have the following principles:

GDC service	Principle
GDC console	`allow-all`
gdcloud CLI	`allow-all`
KMS	`deny-by-default`
Object storage	`deny-by-default`
Vertex AI and supported services	`deny-by-default`

Example organization network policy

The following is an example of an OrganizationNetworkPolicy resource that allows traffic from an IP address to access a GDC managed service.

   kubectl --kubeconfig ORG_ADMIN_CLUSTER_KUBECONFIG apply -f - <<EOF
   apiVersion: networking.gdc.goog/v1
   kind: OrganizationNetworkPolicy
   metadata:
     name: POLICY_NAME
     namespace: platform
   spec:
     subject:
       services:
         matchTypes:
         - "SERVICE_NAME"
     ingress:
       - from:
         - ipBlock:
             cidr: IP_ADDRESS
         - ipBlock:
             cidr: IP_ADDRESS
   EOF

Replace the following variables:

Variable	Description
`ORG_ADMIN_CLUSTER_KUBECONFIG`	The kubeconfig path of the org admin cluster.
`POLICY_NAME`	The name to give the policy. For example, `allow-ui-access`.
`SERVICE_NAME`	The name of the service to apply the policy. Use the following values for each service: GDC console: `ui-console` gdcloud CLI: `api-server` KMS: `kms` Object storage: `object-storage` Vertex AI: `ai` .
`IP_ADDRESS`	The IP address to allow access. For example, `10.251.0.0/24`. You can also add multiple IP addresses by defining more than one `ipBlock` fields for each IP address.