VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (project-networkpolicy-admin) role.
By default, all projects deny incoming traffic from a VPN tunnel. To
enable a project to allow traffic from a VPN tunnel, use a
ProjectNetworkPolicy object which targets the routes received over the Border Gateway Protocol (BGP)
session used on the VPN tunnel:
To enable a project to allow traffic from a VPN tunnel, follow thse steps:
Retrieve all received routes from the VPNBGPPeer status:
MANAGEMENT_API_SERVER: the zonal API
server's kubeconfig path. If you have not yet generated a kubeconfig file
for the API server in your targeted zone, see
Sign in for details.
VPN_BGP_PEER_NAME: the name of your VPN BGP session.
GLOBAL_API_SERVER: the global API server's
kubeconfig path. For more information, see Global API server
resources.
PROJECT_NAME: the name of your GDC project.
Configure egress traffic
By default, a project with data exfiltration protection enabled will deny
sending traffic to the VPN.
You can allow a project to send traffic to a VPN tunnel by disabling data
exfiltration protection for the project. For more information, see Prevent data exfiltration.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide outlines the process for configuring ingress and egress traffic rules for VPN tunnels on a per-project basis.\u003c/p\u003e\n"],["\u003cp\u003eBy default, all projects block incoming traffic from VPN tunnels, but this can be modified using \u003ccode\u003eProjectNetworkPolicy\u003c/code\u003e objects.\u003c/p\u003e\n"],["\u003cp\u003eProjects with data exfiltration protection enabled will, by default, block outgoing traffic to VPN tunnels; this can be changed by disabling the exfiltration protection.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring ingress traffic requires retrieving routes from the \u003ccode\u003eVPNBGPPeer\u003c/code\u003e status and adding them to a \u003ccode\u003eProjectNetworkPolicy\u003c/code\u003e in the respective project's namespace.\u003c/p\u003e\n"]]],[],null,["# Control ingress and egress traffic\n\nThis page describes how to configure ingress and egress traffic for a VPN tunnel.\n\nControl egress and ingress traffic to a VPN tunnel on a per-project\nbasis.\n\n- By default, all projects will deny incoming traffic from a VPN tunnel.\n- By default, projects with data exfiltration protection enabled will deny outgoing traffic to a VPN tunnel.\n\nUse the following directions to change the default VPN traffic egress and\ningress rules for a project.\n\nBefore you begin\n----------------\n\nTo configure ingress and egress traffic for a VPN tunnel, you must have the following:\n\n- An existing VPN tunnel. For more information, see [Create a VPN tunnel](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-the-tunnel).\n- The necessary identity and access roles:\n\n - VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (`vpn-admin`) role.\n - VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (`vpn-viewer`) role.\n - Project NetworkPolicy Admin: manages project network policies in project namespace. Ask your Organization IAM Admin to grant you the Project NetworkPolicy Admin (`project-networkpolicy-admin`) role.\n - For more information, see [Role definitions](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/role-definitions).\n\nConfigure ingress traffic\n-------------------------\n\nBy default, all projects deny incoming traffic from a VPN tunnel. To\nenable a project to allow traffic from a VPN tunnel, use a\n`ProjectNetworkPolicy` object which targets the routes received over the Border Gateway Protocol (BGP)\nsession used on the VPN tunnel:\n\nTo enable a project to allow traffic from a VPN tunnel, follow thse steps:\n\n1. Retrieve all received routes from the `VPNBGPPeer` status:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e get -n platform vpnbgppeer \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e -ojson | jq '.status.received'\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see [Sign in](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#cli) for details.\n - \u003cvar translate=\"no\"\u003eVPN_BGP_PEER_NAME\u003c/var\u003e: the name of your VPN BGP session.\n\n For more information, see [Create a VPN BGP\n session](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/configure-routing#create-vpn-bgp-session).\n\n The output looks like the following example: \n\n [\n {\n \"prefix\": \"192.168.100.0/24\"\n },\n {\n \"prefix\": \"192.168.101.0/24\"\n }\n ]\n\n2. Add all of the received routes from the `VPNBGPPeer` status to a\n `ProjectNetworkPolicy` object in the namespace of the project:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e create -n \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e -f - \u003c\u003cEOF\n apiVersion: networking.global.gdc.goog/v1\n kind: ProjectNetworkPolicy\n metadata:\n name: allow-ingress-vpn-traffic\n spec:\n policyType: Ingress\n subject:\n subjectType: UserWorkload\n ingress:\n - from:\n - ipBlocks:\n - cidr: 192.168.100.0/24\n - cidr: 192.168.101.0/24\n EOF\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGLOBAL_API_SERVER\u003c/var\u003e: the global API server's kubeconfig path. For more information, see [Global API server\n resources](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#global-resources-kubeconfig).\n - \u003cvar translate=\"no\"\u003ePROJECT_NAME\u003c/var\u003e: the name of your GDC project.\n\nConfigure egress traffic\n------------------------\n\nBy default, a project with data exfiltration protection enabled will deny\nsending traffic to the VPN.\n\nYou can allow a project to send traffic to a VPN tunnel by disabling data\nexfiltration protection for the project. For more information, see [Prevent data exfiltration](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/data-exfiltration#prevent-data-exfiltration).\n\nWhat's next\n-----------\n\n- [Access user VMs](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/vpn/access-vm)"]]
