This page describes how to configure ingress and egress traffic for a VPN tunnel.
Control egress and ingress traffic to a VPN tunnel on a per-project basis.
- By default, all projects will deny incoming traffic from a VPN tunnel.
- By default, projects with data exfiltration protection enabled will deny outgoing traffic to a VPN tunnel.
Use the following directions to change the default VPN traffic egress and ingress rules for a project.
Before you begin
To configure ingress and egress traffic for a VPN tunnel, you must have the following:
- An existing VPN tunnel. For more information, see Create a VPN tunnel.
The necessary identity and access roles:
- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (
vpn-admin
) role. - VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (
vpn-viewer
) role. - Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (
project-networkpolicy-admin
) role. - For more information, see Role definitions.
- VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (
Configure ingress traffic
By default, all projects deny incoming traffic from a VPN tunnel. To
enable a project to allow traffic from a VPN tunnel, use a
ProjectNetworkPolicy
object which targets the routes received over the Border Gateway Protocol (BGP)
session used on the VPN tunnel:
To enable a project to allow traffic from a VPN tunnel, follow thse steps:
Retrieve all received routes from the
VPNBGPPeer
status:kubectl --kubeconfig MANAGEMENT_API_SERVER get -n platform vpnbgppeer VPN_BGP_PEER_NAME -ojson | jq '.status.received'
Replace the following:
MANAGEMENT_API_SERVER
: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.VPN_BGP_PEER_NAME
: the name of your VPN BGP session.
For more information, see Create a VPN BGP session.
The output looks like the following example:
[ { "prefix": "192.168.100.0/24" }, { "prefix": "192.168.101.0/24" } ]
Add all of the received routes from the
VPNBGPPeer
status to aProjectNetworkPolicy
object in the namespace of the project:kubectl --kubeconfig MANAGEMENT_API_SERVER create -n PROJECT_NAME -f - <<EOF apiVersion: networking.gdc.goog/v1 kind: ProjectNetworkPolicy metadata: name: allow-ingress-vpn-traffic spec: policyType: Ingress subject: subjectType: UserWorkload ingress: - from: - ipBlocks: - cidr: 192.168.100.0/24 - cidr: 192.168.101.0/24
Replace
PROJECT_NAME
with the name of your GDC project.
Configure egress traffic
By default, a project with data exfiltration protection enabled will deny sending traffic to the VPN.
You can allow a project to send traffic to a VPN tunnel by disabling data exfiltration protection for the project. For more information, see Prevent data exfiltration.