This page describes how to configure ingress and egress traffic for a VPN tunnel.
Control egress and ingress traffic to a VPN tunnel on a per-project basis.
- By default, all projects will deny incoming traffic from a VPN tunnel.
- By default, projects with data exfiltration protection enabled will deny outgoing traffic to a VPN tunnel.
Use the following directions to change the default VPN traffic egress and ingress rules for a project.
Before you begin
To configure ingress and egress traffic for a VPN tunnel, you must have the following:
- An existing VPN tunnel. For more information, see Create a VPN tunnel.
The necessary identity and access roles:
- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (
vpn-admin) role. - VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (
vpn-viewer) role. - Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (
project-networkpolicy-admin) role. - For more information, see Role definitions.
- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (
Configure ingress traffic
By default, all projects deny incoming traffic from a VPN tunnel. To
enable a project to allow traffic from a VPN tunnel, use a
ProjectNetworkPolicy object which targets the routes received over the Border Gateway Protocol (BGP)
session used on the VPN tunnel:
To enable a project to allow traffic from a VPN tunnel, follow thse steps:
Retrieve all received routes from the
VPNBGPPeerstatus:kubectl --kubeconfig MANAGEMENT_API_SERVER get -n platform vpnbgppeer VPN_BGP_PEER_NAME -ojson | jq '.status.received'Replace the following:
MANAGEMENT_API_SERVER: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.VPN_BGP_PEER_NAME: the name of your VPN BGP session.
For more information, see Create a VPN BGP session.
The output looks like the following example:
[ { "prefix": "192.168.100.0/24" }, { "prefix": "192.168.101.0/24" } ]Add all of the received routes from the
VPNBGPPeerstatus to aProjectNetworkPolicyobject in the namespace of the project:kubectl --kubeconfig GLOBAL_API_SERVER create -n PROJECT_NAME -f - <<EOF apiVersion: networking.global.gdc.goog/v1 kind: ProjectNetworkPolicy metadata: name: allow-ingress-vpn-traffic spec: policyType: Ingress subject: subjectType: UserWorkload ingress: - from: - ipBlocks: - cidr: 192.168.100.0/24 - cidr: 192.168.101.0/24 EOFReplace the following:
GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global API server resources.PROJECT_NAME: the name of your GDC project.
Configure egress traffic
By default, a project with data exfiltration protection enabled will deny sending traffic to the VPN.
You can allow a project to send traffic to a VPN tunnel by disabling data exfiltration protection for the project. For more information, see Prevent data exfiltration.