Control ingress and egress traffic

This page describes how to configure ingress and egress traffic for a VPN tunnel.

Control egress and ingress traffic to a VPN tunnel on a per-project basis.

  • By default, all projects will deny incoming traffic from a VPN tunnel.
  • By default, projects with data exfiltration protection enabled will deny outgoing traffic to a VPN tunnel.

Use the following directions to change the default VPN traffic egress and ingress rules for a project.

Before you begin

To configure ingress and egress traffic for a VPN tunnel, you must have the following:

  • An existing VPN tunnel. For more information, see Create a VPN tunnel.
  • The necessary identity and access roles:

    • VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
    • VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
    • Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (project-networkpolicy-admin) role.
    • For more information, see Role definitions.

Configure ingress traffic

By default, all projects deny incoming traffic from a VPN tunnel. To enable a project to allow traffic from a VPN tunnel, use a ProjectNetworkPolicy object which targets the routes received over the Border Gateway Protocol (BGP) session used on the VPN tunnel:

To enable a project to allow traffic from a VPN tunnel, follow thse steps:

  1. Retrieve all received routes from the VPNBGPPeer status:

    kubectl --kubeconfig MANAGEMENT_API_SERVER get -n platform vpnbgppeer VPN_BGP_PEER_NAME -ojson | jq '.status.received'
    

    Replace the following:

    • MANAGEMENT_API_SERVER: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
    • VPN_BGP_PEER_NAME: the name of your VPN BGP session.

    For more information, see Create a VPN BGP session.

    The output looks like the following example:

    [
      {
        "prefix": "192.168.100.0/24"
      },
      {
        "prefix": "192.168.101.0/24"
      }
    ]
    
  2. Add all of the received routes from the VPNBGPPeer status to a ProjectNetworkPolicy object in the namespace of the project:

    kubectl --kubeconfig MANAGEMENT_API_SERVER create -n PROJECT_NAME -f - <<EOF
    apiVersion: networking.gdc.goog/v1
    kind: ProjectNetworkPolicy
    metadata:
      name: allow-ingress-vpn-traffic
    spec:
      policyType: Ingress
      subject:
        subjectType: UserWorkload
      ingress:
      - from:
        - ipBlocks:
          - cidr: 192.168.100.0/24
          - cidr: 192.168.101.0/24
    

    Replace PROJECT_NAME with the name of your GDC project.

Configure egress traffic

By default, a project with data exfiltration protection enabled will deny sending traffic to the VPN.

You can allow a project to send traffic to a VPN tunnel by disabling data exfiltration protection for the project. For more information, see Prevent data exfiltration.

What's next