Control ingress and egress traffic

This page describes how to configure ingress and egress traffic for a VPN tunnel.

Control egress and ingress traffic to a VPN tunnel on a per-project basis.

• By default, all projects will deny incoming traffic from a VPN tunnel.
• By default, projects with data exfiltration protection enabled will deny outgoing traffic to a VPN tunnel.

Use the following directions to change the default VPN traffic egress and ingress rules for a project.

Before you begin

To configure ingress and egress traffic for a VPN tunnel, you must have the following:

• An existing VPN tunnel. For more information, see Create a VPN tunnel.

• The necessary identity and access roles:

  • VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
  • VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
  • Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (project-networkpolicy-admin) role.
  • For more information, see Role definitions.

Configure ingress traffic

By default, all projects deny incoming traffic from a VPN tunnel. To enable a project to allow traffic from a VPN tunnel, use a ProjectNetworkPolicy object which targets the routes received over the Border Gateway Protocol (BGP) session used on the VPN tunnel:

To enable a project to allow traffic from a VPN tunnel, follow thse steps:

1. Retrieve all received routes from the VPNBGPPeer status:

   kubectl --kubeconfig MANAGEMENT_API_SERVER get -n platform vpnbgppeer VPN_BGP_PEER_NAME -ojson | jq '.status.received'
   

   Replace the following:

   • MANAGEMENT_API_SERVER: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
   • VPN_BGP_PEER_NAME: the name of your VPN BGP session.

   For more information, see Create a VPN BGP session.

   The output looks like the following example:

   [
     {
       "prefix": "192.168.100.0/24"
     },
     {
       "prefix": "192.168.101.0/24"
     }
   ]
   

2. Add all of the received routes from the VPNBGPPeer status to a ProjectNetworkPolicy object in the namespace of the project:

   kubectl --kubeconfig MANAGEMENT_API_SERVER create -n PROJECT_NAME -f - <<EOF
   apiVersion: networking.gdc.goog/v1
   kind: ProjectNetworkPolicy
   metadata:
     name: allow-ingress-vpn-traffic
   spec:
     policyType: Ingress
     subject:
       subjectType: UserWorkload
     ingress:
     - from:
       - ipBlocks:
         - cidr: 192.168.100.0/24
         - cidr: 192.168.101.0/24
   

   Replace PROJECT_NAME with the name of your GDC project.

Configure egress traffic

By default, a project with data exfiltration protection enabled will deny sending traffic to the VPN.

You can allow a project to send traffic to a VPN tunnel by disabling data exfiltration protection for the project. For more information, see Prevent data exfiltration.

What's next

• Access user VMs