Google Cloud 機構政策可讓您透過程式以集中方式控管機構資源。身為機構政策管理員,您可以定義機構政策,也就是一組稱為限制的限制,適用於 Google Cloud 資源階層中的Google Cloud 資源和這些資源的子系。您可以在機構、資料夾或專案層級強制執行機構政策。
機構政策為各種Google Cloud 服務提供預先定義的限制。不過,如果您想進一步控管貴機構政策中受限制的特定欄位,並且進一步細微控管這些欄位,也可以建立自訂限制,並在自訂機構政策中使用這些自訂限制。
下列負載平衡器元件支援自訂限制:
Compute Engine 資源 (例如執行個體群組) 和 VPC 資源 (例如VPC 網路和子網路) 也支援自訂限制。
優點
- 成本管理:使用自訂機構政策限制健康狀態檢查探測頻率。
安全性、法規遵循和治理:您可以使用自訂機構政策來強制執行政策。例如:
- 強制使用特定健康狀態檢查通訊協定或通訊埠範圍
- 如要禁止特定後端流量通訊協定
- 要求後端值區必須啟用 Cloud CDN
- 要求轉送規則使用特定網路服務級別
Cloud Load Balancing 支援的資源
針對 Cloud Load Balancing,您可以針對下列資源和欄位設定自訂限制。
後端值區
後端資料集:compute.googleapis.com/BackendBucket
resource.nameresource.descriptionresource.bucketNameresource.enableCdnresource.cdnPolicyresource.cdnPolicy.bypassCacheOnRequestHeadersresource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
resource.cdnPolicy.cacheKeyPolicyresource.cdnPolicy.cacheKeyPolicy.includeHttpHeadersresource.cdnPolicy.cacheKeyPolicy.queryStringWhitelistresource.cdnPolicy.signedUrlCacheMaxAgeSec
resource.compressionModeresource.customResponseHeaders
後端服務
後端服務:compute.googleapis.com/BackendService
resource.nameresource.descriptionresource.portresource.portNameresource.protocolresource.backendsresource.backends.balancingModeresource.backends.capacityScalerresource.backends.descriptionresource.backends.failoverresource.backends.maxConnectionsresource.backends.maxConnectionsPerEndpointresource.backends.maxConnectionsPerInstanceresource.backends.maxRateresource.backends.maxRatePerEndpointresource.backends.maxRatePerInstanceresource.backends.maxUtilizationresource.backends.preference
resource.enableCDNresource.cdnPolicyresource.cdnPolicy.bypassCacheOnRequestHeadersresource.cdnPolicy.bypassCacheOnRequestHeaders.headerName
resource.cdnPolicy.cacheKeyPolicyresource.cdnPolicy.cacheKeyPolicy.includeHostresource.cdnPolicy.cacheKeyPolicy.includeHttpHeadersresource.cdnPolicy.cacheKeyPolicy.includeNamedCookiesresource.cdnPolicy.cacheKeyPolicy.includeProtocolresource.cdnPolicy.cacheKeyPolicy.includeQueryStringresource.cdnPolicy.cacheKeyPolicy.queryStringBlacklistresource.cdnPolicy.cacheKeyPolicy.queryStringWhitelist
resource.cdnPolicy.cacheModeresource.cdnPolicy.clientTtlresource.cdnPolicy.defaultTtlresource.cdnPolicy.maxTtlresource.cdnPolicy.negativeCachingresource.cdnPolicy.negativeCachingPolicyresource.cdnPolicy.negativeCachingPolicy.coderesource.cdnPolicy.negativeCachingPolicy.ttl
resource.cdnPolicy.requestCoalescingresource.cdnPolicy.serveWhileStaleresource.cdnPolicy.signedUrlCacheMaxAgeSec
resource.circuitBreakersresource.circuitBreakers.maxConnectionsresource.circuitBreakers.maxPendingRequestsresource.circuitBreakers.maxRequestsresource.circuitBreakers.maxRequestsPerConnectionresource.circuitBreakers.maxRetries
resource.compressionModeresource.connectionDrainingresource.connectionDraining.drainingTimeoutSec
resource.connectionTrackingPolicyresource.connectionTrackingPolicy.connectionPersistenceOnUnhealthyBackendsresource.connectionTrackingPolicy.enableStrongAffinityresource.connectionTrackingPolicy.idleTimeoutSecresource.connectionTrackingPolicy.trackingMode
resource.consistentHashresource.consistentHash.httpCookieresource.consistentHash.httpCookie.nameresource.consistentHash.httpCookie.pathresource.consistentHash.httpCookie.ttlresource.consistentHash.httpCookie.ttl.nanosresource.consistentHash.httpCookie.ttl.seconds
resource.consistentHash.minimumRingSize
resource.customRequestHeadersresource.customResponseHeadersresource.affinityCookieTtlSecresource.failoverPolicyresource.failoverPolicy.disableConnectionDrainOnFailoverresource.failoverPolicy.dropTrafficIfUnhealthyresource.failoverPolicy.failoverRatio
resource.iapresource.iap.enabledresource.iap.oauth2ClientId
resource.ipAddressSelectionPolicyresource.loadBalancingSchemeresource.localityLbPoliciesresource.localityLbPolicies.customPolicyresource.localityLbPolicies.customPolicy.dataresource.localityLbPolicies.customPolicy.nameresource.localityLbPolicies.policyresource.localityLbPolicies.policy.name
resource.logConfigresource.logConfig.enableresource.logConfig.optionalFieldsresource.logConfig.optionalModeresource.logConfig.sampleRate
resource.maxStreamDurationresource.maxStreamDuration.nanosresource.maxStreamDuration.seconds
resource.outlierDetectionresource.outlierDetection.baseEjectionTimeresource.outlierDetection.baseEjectionTime.nanosresource.outlierDetection.baseEjectionTime.secondsresource.outlierDetection.consecutiveGatewayFailureresource.outlierDetection.enforcingConsecutiveErrorsresource.outlierDetection.enforcingConsecutiveGatewayFailureresource.outlierDetection.enforcingSuccessRateresource.outlierDetection.maxEjectionPercentresource.outlierDetection.successRateMinimumHostsresource.outlierDetection.successRateRequestVolumeresource.outlierDetection.successRateStdevFactor
resource.securitySettingsresource.securitySettings.awsV4Authenticationresource.securitySettings.awsV4Authentication.accessKeyIdresource.securitySettings.awsV4Authentication.accessKeyVersionresource.securitySettings.subjectAltNames
resource.sessionAffinityresource.subsettingresource.subsetting.policy
resource.timeoutSecresource.strongSessionAffinityCookieresource.strongSessionAffinityCookie.nameresource.strongSessionAffinityCookie.pathresource.strongSessionAffinityCookie.ttlresource.strongSessionAffinityCookie.ttl.nanosresource.strongSessionAffinityCookie.ttl.seconds
轉送規則
轉送規則:compute.googleapis.com/ForwardingRule
resource.nameresource.descriptionresource.allowGlobalAccessresource.allowPscGlobalAccessresource.allPortsresource.IPProtocolresource.ipVersionresource.isMirroringCollectorresource.loadBalancingSchemeresource.metadataFiltersresource.metadataFilters.filterLabelsresource.metadataFilters.filterLabels.nameresource.metadataFilters.filterLabels.valueresource.metadataFilters.filterMatchCriteria
resource.networkTierresource.noAutomateDnsZoneresource.portRangeresource.portsresource.serviceDirectoryRegistrationsresource.serviceDirectoryRegistrations.namespaceresource.serviceDirectoryRegistrations.serviceresource.serviceDirectoryRegistrations.serviceDirectoryRegion
resource.serviceLabelresource.sourceIpRanges
健康狀態檢查
健康狀態檢查:compute.googleapis.com/HealthCheck
resource.nameresource.descriptionresource.checkIntervalSecresource.timeoutSecresource.unhealthyThresholdresource.healthyThresholdresource.type- TCP 健康狀態檢查:
resource.tcpHealthCheck.portresource.tcpHealthCheck.requestresource.tcpHealthCheck.responseresource.tcpHealthCheck.proxyHeaderresource.tcpHealthCheck.portSpecification
- SSL 健康狀態檢查:
resource.sslHealthCheck.portresource.sslHealthCheck.requestresource.sslHealthCheck.responseresource.sslHealthCheck.proxyHeaderresource.sslHealthCheck.portSpecification
- HTTP 健康狀態檢查:
resource.httpHealthCheck.portresource.httpHealthCheck.hostresource.httpHealthCheck.requestPathresource.httpHealthCheck.proxyHeaderresource.httpHealthCheck.responseresource.httpHealthCheck.portSpecification
- HTTPS 健康狀態檢查:
resource.httpsHealthCheck.portresource.httpsHealthCheck.hostresource.httpsHealthCheck.requestPathresource.httpsHealthCheck.proxyHeaderresource.httpsHealthCheck.responseresource.httpsHealthCheck.portSpecification
- HTTP/2 健康狀態檢查:
resource.http2HealthCheck.portresource.http2HealthCheck.hostresource.http2HealthCheck.requestPathresource.http2HealthCheck.proxyHeaderresource.http2HealthCheck.responseresource.http2HealthCheck.portSpecification
- gRPC 健康狀態檢查:
resource.grpcHealthCheck.portresource.grpcHealthCheck.grpcServiceNameresource.grpcHealthCheck.portSpecification
resource.sourceRegionsresource.logConfigresource.logConfig.enable
網路端點群組
網路端點群組:compute.googleapis.com/NetworkEndpointGroup
resource.annotationsresource.appEngine.serviceresource.appEngine.urlMaskresource.appEngine.versionresource.cloudFunction.functionresource.cloudFunction.urlMaskresource.cloudRun.serviceresource.cloudRun.tagresource.cloudRun.urlMaskresource.defaultPortresource.descriptionresource.nameresource.networkresource.networkEndpointTyperesource.pscData.producerPortresource.pscTargetServiceresource.subnetwork
服務負載平衡政策
服務負載平衡政策:networkservices.googleapis.com/ServiceLbPolicy
resource.autoCapacityDrain.enableresource.descriptionresource.failoverConfig.failoverHealthThresholdresource.loadBalancingAlgorithmresource.name
安全資料傳輸層 (SSL) 政策
SSL 政策:compute.googleapis.com/SslPolicy
resource.profileresource.nameresource.descriptionresource.minTlsVersionresource.customFeatures
目標執行個體
目標執行個體:compute.googleapis.com/TargetInstance
resource.nameresource.descriptionresource.natPolicy
目標集區
目標集區:compute.googleapis.com/TargetPool
resource.nameresource.descriptionresource.sessionAffinityresource.failoverRatio
目標 Proxy
目標 TCP Proxy:compute.googleapis.com/TargetTcpProxy
resource.nameresource.descriptionresource.proxyBindresource.proxyHeader
目標 SSL Proxy:compute.googleapis.com/TargetSslProxy
resource.nameresource.descriptionresource.proxyHeader
目標 HTTP Proxy:compute.googleapis.com/TargetHttpProxy
resource.nameresource.descriptionresource.proxyBindresource.httpKeepAliveTimeoutSec
目標 HTTPS Proxy 伺服器:compute.googleapis.com/TargetHttpsProxy
resource.nameresource.descriptionresource.proxyBindresource.httpKeepAliveTimeoutSecresource.quicOverrideresource.tlsEarlyData
目標 gRPC 代理伺服器:compute.googleapis.com/TargetGrpcProxy
resource.nameresource.descriptionresource.validateForProxyless
網址對應
網址對應:compute.googleapis.com/UrlMap
resource.nameresource.descriptionresource.defaultCustomErrorResponsePolicyresource.defaultCustomErrorResponsePolicy.errorResponseRulesresource.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodesresource.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCoderesource.defaultCustomErrorResponsePolicy.errorResponseRules.path
resource.defaultRouteActionresource.defaultRouteAction.corsPolicyresource.defaultRouteAction.corsPolicy.allowCredentialsresource.defaultRouteAction.corsPolicy.allowHeadersresource.defaultRouteAction.corsPolicy.allowMethodsresource.defaultRouteAction.corsPolicy.allowOriginsresource.defaultRouteAction.corsPolicy.allowOriginRegexesresource.defaultRouteAction.corsPolicy.disabledresource.defaultRouteAction.corsPolicy.exposeHeadersresource.defaultRouteAction.corsPolicy.maxAgeresource.defaultRouteAction.faultInjectionPolicyresource.defaultRouteAction.faultInjectionPolicy.abortresource.defaultRouteAction.faultInjectionPolicy.abort.httpStatusresource.defaultRouteAction.faultInjectionPolicy.abort.percentage
resource.defaultRouteAction.faultInjectionPolicy.delayresource.defaultRouteAction.faultInjectionPolicy.delay.percentageresource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelayresource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanosresource.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.defaultRouteAction.maxStreamDurationresource.defaultRouteAction.maxStreamDuration.nanosresource.defaultRouteAction.maxStreamDuration.secondsresource.defaultRouteAction.requestMirrorPolicyresource.defaultRouteAction.retryPolicyresource.defaultRouteAction.retryPolicy.numRetriesresource.defaultRouteAction.retryPolicy.perTryTimeoutresource.defaultRouteAction.retryPolicy.perTryTimeout.nanosresource.defaultRouteAction.retryPolicy.perTryTimeout.seconds
resource.defaultRouteAction.retryPolicy.retryConditionsresource.defaultRouteAction.timeoutresource.defaultRouteAction.timeout.nanosresource.defaultRouteAction.timeout.secondsresource.defaultRouteAction.urlRewriteresource.defaultRouteAction.urlRewrite.hostRewriteresource.defaultRouteAction.urlRewrite.pathPrefixRewriteresource.defaultRouteAction.urlRewrite.pathTemplateRewriteresource.defaultRouteAction.weightedBackendServicesresource.defaultRouteAction.weightedBackendServices.headerActionresource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAddresource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerNameresource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValueresource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replaceresource.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemoveresource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAddresource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerNameresource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValueresource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replaceresource.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.defaultRouteAction.weightedBackendServices.weight
resource.defaultUrlRedirectresource.defaultUrlRedirect.hostRedirectresource.defaultUrlRedirect.httpsRedirectresource.defaultUrlRedirect.pathRedirectresource.defaultUrlRedirect.prefixRedirectresource.defaultUrlRedirect.redirectResponseCoderesource.defaultUrlRedirect.stripQuery
resource.headerActionresource.headerAction.requestHeadersToAddresource.headerAction.requestHeadersToAdd.headerNameresource.headerAction.requestHeadersToAdd.headerValueresource.headerAction.requestHeadersToAdd.replaceresource.headerAction.requestHeadersToRemoveresource.headerAction.responseHeadersToAddresource.headerAction.responseHeadersToAdd.headerNameresource.headerAction.responseHeadersToAdd.headerValueresource.headerAction.responseHeadersToAdd.replaceresource.headerAction.responseHeadersToRemove
resource.hostRulesresource.hostRules.descriptionresource.hostRules.hostsresource.hostRules.pathMatcher
resource.pathMatchersresource.pathMatchers.nameresource.pathMatchers.descriptionresource.pathMatchers.defaultCustomErrorResponsePolicyresource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRulesresource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.matchResponseCodesresource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.overrideResponseCoderesource.pathMatchers.defaultCustomErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.defaultRouteActionresource.pathMatchers.defaultRouteAction.corsPolicyresource.pathMatchers.defaultRouteAction.corsPolicy.allowCredentialsresource.pathMatchers.defaultRouteAction.corsPolicy.allowHeadersresource.pathMatchers.defaultRouteAction.corsPolicy.allowMethodsresource.pathMatchers.defaultRouteAction.corsPolicy.allowOriginsresource.pathMatchers.defaultRouteAction.corsPolicy.allowOriginRegexesresource.pathMatchers.defaultRouteAction.corsPolicy.disabledresource.pathMatchers.defaultRouteAction.corsPolicy.exposeHeadersresource.pathMatchers.defaultRouteAction.corsPolicy.maxAge
resource.pathMatchers.defaultRouteAction.faultInjectionPolicyresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abortresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.httpStatusresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.abort.percentageresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delayresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.percentageresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelayresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.nanosresource.pathMatchers.defaultRouteAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.defaultRouteAction.maxStreamDurationresource.pathMatchers.defaultRouteAction.maxStreamDuration.nanosresource.pathMatchers.defaultRouteAction.maxStreamDuration.seconds
resource.pathMatchers.defaultRouteAction.requestMirrorPolicyresource.pathMatchers.defaultRouteAction.retryPolicyresource.pathMatchers.defaultRouteAction.retryPolicy.numRetriesresource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeoutresource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.nanosresource.pathMatchers.defaultRouteAction.retryPolicy.perTryTimeout.secondsresource.pathMatchers.defaultRouteAction.retryPolicy.retryConditions
resource.pathMatchers.defaultRouteAction.timeoutresource.pathMatchers.defaultRouteAction.timeout.nanosresource.pathMatchers.defaultRouteAction.timeout.seconds
resource.pathMatchers.defaultRouteAction.urlRewriteresource.pathMatchers.defaultRouteAction.urlRewrite.hostRewriteresource.pathMatchers.defaultRouteAction.urlRewrite.pathPrefixRewriteresource.pathMatchers.defaultRouteAction.urlRewrite.pathTemplateRewrite
resource.pathMatchers.defaultRouteAction.weightedBackendServicesresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerActionresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAddresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerNameresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValueresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToAdd.replace
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.requestHeadersToRemoveresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAddresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerNameresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValueresource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToAdd.replace
resource.pathMatchers.defaultRouteAction.weightedBackendServices.headerAction.responseHeadersToRemoveresource.pathMatchers.defaultRouteAction.weightedBackendServices.weight
resource.pathMatchers.defaultUrlRedirectresource.pathMatchers.defaultUrlRedirect.hostRedirectresource.pathMatchers.defaultUrlRedirect.httpsRedirectresource.pathMatchers.defaultUrlRedirect.pathRedirectresource.pathMatchers.defaultUrlRedirect.prefixRedirectresource.pathMatchers.defaultUrlRedirect.redirectResponseCoderesource.pathMatchers.defaultUrlRedirect.stripQueryresource.pathMatchers.headerActionresource.pathMatchers.headerAction.requestHeadersToAddresource.pathMatchers.headerAction.requestHeadersToAdd.headerNameresource.pathMatchers.headerAction.requestHeadersToAdd.headerValueresource.pathMatchers.headerAction.requestHeadersToAdd.replaceresource.pathMatchers.headerAction.requestHeadersToRemoveresource.pathMatchers.headerAction.responseHeadersToAddresource.pathMatchers.headerAction.responseHeadersToAdd.headerNameresource.pathMatchers.headerAction.responseHeadersToAdd.headerValueresource.pathMatchers.headerAction.responseHeadersToAdd.replaceresource.pathMatchers.headerAction.responseHeadersToRemoveresource.pathMatchers.pathRulesresource.pathMatchers.pathRules.pathsresource.pathMatchers.pathRules.customErrorResponsePolicyresource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRulesresource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodesresource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCoderesource.pathMatchers.pathRules.customErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.pathRules.routeActionresource.pathMatchers.pathRules.routeAction.corsPolicyresource.pathMatchers.pathRules.routeAction.corsPolicy.allowCredentialsresource.pathMatchers.pathRules.routeAction.corsPolicy.allowHeadersresource.pathMatchers.pathRules.routeAction.corsPolicy.allowMethodsresource.pathMatchers.pathRules.routeAction.corsPolicy.allowOriginsresource.pathMatchers.pathRules.routeAction.corsPolicy.allowOriginRegexesresource.pathMatchers.pathRules.routeAction.corsPolicy.disabledresource.pathMatchers.pathRules.routeAction.corsPolicy.exposeHeadersresource.pathMatchers.pathRules.routeAction.corsPolicy.maxAgeresource.pathMatchers.pathRules.routeAction.faultInjectionPolicyresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abortresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.httpStatusresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.abort.percentage
resource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delayresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.percentageresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelayresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanosresource.pathMatchers.pathRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.pathRules.routeAction.maxStreamDurationresource.pathMatchers.pathRules.routeAction.maxStreamDuration.nanosresource.pathMatchers.pathRules.routeAction.maxStreamDuration.secondsresource.pathMatchers.pathRules.routeAction.requestMirrorPolicyresource.pathMatchers.pathRules.routeAction.retryPolicyresource.pathMatchers.pathRules.routeAction.retryPolicy.numRetriesresource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeoutresource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.nanosresource.pathMatchers.pathRules.routeAction.retryPolicy.perTryTimeout.seconds
resource.pathMatchers.pathRules.routeAction.retryPolicy.retryConditionsresource.pathMatchers.pathRules.routeAction.timeoutresource.pathMatchers.pathRules.routeAction.timeout.nanosresource.pathMatchers.pathRules.routeAction.timeout.secondsresource.pathMatchers.pathRules.routeAction.urlRewriteresource.pathMatchers.pathRules.routeAction.urlRewrite.hostRewriteresource.pathMatchers.pathRules.routeAction.urlRewrite.pathPrefixRewriteresource.pathMatchers.pathRules.routeAction.urlRewrite.pathTemplateRewriteresource.pathMatchers.pathRules.routeAction.weightedBackendServicesresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerActionresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAddresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerNameresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValueresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replaceresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemoveresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAddresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerNameresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValueresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replaceresource.pathMatchers.pathRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.pathMatchers.pathRules.routeAction.weightedBackendServices.weight
resource.pathMatchers.pathRules.urlRedirectresource.pathMatchers.pathRules.urlRedirect.hostRedirectresource.pathMatchers.pathRules.urlRedirect.httpsRedirectresource.pathMatchers.pathRules.urlRedirect.pathRedirectresource.pathMatchers.pathRules.urlRedirect.prefixRedirectresource.pathMatchers.pathRules.urlRedirect.redirectResponseCoderesource.pathMatchers.pathRules.urlRedirect.stripQuery
resource.pathMatchers.routeRulesresource.pathMatchers.routeRules.descriptionresource.pathMatchers.routeRules.priorityresource.pathMatchers.routeRules.customErrorResponsePolicyresource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRulesresource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.matchResponseCodesresource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.overrideResponseCoderesource.pathMatchers.routeRules.customErrorResponsePolicy.errorResponseRules.path
resource.pathMatchers.routeRules.headerActionresource.pathMatchers.routeRules.headerAction.requestHeadersToAddresource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerNameresource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.headerValueresource.pathMatchers.routeRules.headerAction.requestHeadersToAdd.replaceresource.pathMatchers.routeRules.headerAction.requestHeadersToRemoveresource.pathMatchers.routeRules.headerAction.responseHeadersToAddresource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerNameresource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.headerValueresource.pathMatchers.routeRules.headerAction.responseHeadersToAdd.replaceresource.pathMatchers.routeRules.headerAction.responseHeadersToRemove
resource.pathMatchers.routeRules.matchRulesresource.pathMatchers.routeRules.matchRules.fullPathMatchresource.pathMatchers.routeRules.matchRules.headerMatchesresource.pathMatchers.routeRules.matchRules.headerMatches.exactMatchresource.pathMatchers.routeRules.matchRules.headerMatches.headerNameresource.pathMatchers.routeRules.matchRules.headerMatches.invertMatchresource.pathMatchers.routeRules.matchRules.headerMatches.prefixMatchresource.pathMatchers.routeRules.matchRules.headerMatches.presentMatchresource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatchresource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeStartresource.pathMatchers.routeRules.matchRules.headerMatches.rangeMatch.rangeEnd
resource.pathMatchers.routeRules.matchRules.headerMatches.regexMatchresource.pathMatchers.routeRules.matchRules.headerMatches.suffixMatchresource.pathMatchers.routeRules.matchRules.ignoreCaseresource.pathMatchers.routeRules.matchRules.metadataFiltersresource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabelsresource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.nameresource.pathMatchers.routeRules.matchRules.metadataFilters.filterLabels.value
resource.pathMatchers.routeRules.matchRules.metadataFilters.filterMatchCriteriaresource.pathMatchers.routeRules.matchRules.pathTemplateMatchresource.pathMatchers.routeRules.matchRules.prefixMatchresource.pathMatchers.routeRules.matchRules.queryParameterMatchesresource.pathMatchers.routeRules.matchRules.queryParameterMatches.nameresource.pathMatchers.routeRules.matchRules.queryParameterMatches.exactMatchresource.pathMatchers.routeRules.matchRules.queryParameterMatches.presentMatchresource.pathMatchers.routeRules.matchRules.queryParameterMatches.regexMatchresource.pathMatchers.routeRules.matchRules.regexMatch
resource.pathMatchers.routeRules.routeActionresource.pathMatchers.routeRules.routeAction.corsPolicyresource.pathMatchers.routeRules.routeAction.corsPolicy.allowCredentialsresource.pathMatchers.routeRules.routeAction.corsPolicy.allowHeadersresource.pathMatchers.routeRules.routeAction.corsPolicy.allowMethodsresource.pathMatchers.routeRules.routeAction.corsPolicy.allowOriginsresource.pathMatchers.routeRules.routeAction.corsPolicy.allowOriginRegexesresource.pathMatchers.routeRules.routeAction.corsPolicy.disabledresource.pathMatchers.routeRules.routeAction.corsPolicy.exposeHeadersresource.pathMatchers.routeRules.routeAction.corsPolicy.maxAgeresource.pathMatchers.routeRules.routeAction.faultInjectionPolicyresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abortresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.httpStatusresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.abort.percentage
resource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delayresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.percentageresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelayresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.nanosresource.pathMatchers.routeRules.routeAction.faultInjectionPolicy.delay.fixedDelay.seconds
resource.pathMatchers.routeRules.routeAction.maxStreamDurationresource.pathMatchers.routeRules.routeAction.maxStreamDuration.nanosresource.pathMatchers.routeRules.routeAction.maxStreamDuration.secondsresource.pathMatchers.routeRules.routeAction.requestMirrorPolicyresource.pathMatchers.routeRules.routeAction.retryPolicyresource.pathMatchers.routeRules.routeAction.retryPolicy.numRetriesresource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeoutresource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.nanosresource.pathMatchers.routeRules.routeAction.retryPolicy.perTryTimeout.seconds
resource.pathMatchers.routeRules.routeAction.retryPolicy.retryConditionsresource.pathMatchers.routeRules.routeAction.timeoutresource.pathMatchers.routeRules.routeAction.timeout.nanosresource.pathMatchers.routeRules.routeAction.timeout.secondsresource.pathMatchers.routeRules.routeAction.urlRewriteresource.pathMatchers.routeRules.routeAction.urlRewrite.hostRewriteresource.pathMatchers.routeRules.routeAction.urlRewrite.pathPrefixRewriteresource.pathMatchers.routeRules.routeAction.urlRewrite.pathTemplateRewriteresource.pathMatchers.routeRules.routeAction.weightedBackendServicesresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerActionresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAddresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerNameresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.headerValueresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToAdd.replaceresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.requestHeadersToRemoveresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAddresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerNameresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.headerValueresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToAdd.replaceresource.pathMatchers.routeRules.routeAction.weightedBackendServices.headerAction.responseHeadersToRemove
resource.pathMatchers.routeRules.routeAction.weightedBackendServices.weight
resource.pathMatchers.routeRules.urlRedirectresource.pathMatchers.routeRules.urlRedirect.hostRedirectresource.pathMatchers.routeRules.urlRedirect.httpsRedirectresource.pathMatchers.routeRules.urlRedirect.pathRedirectresource.pathMatchers.routeRules.urlRedirect.prefixRedirectresource.pathMatchers.routeRules.urlRedirect.redirectResponseCoderesource.pathMatchers.routeRules.urlRedirect.stripQuery
resource.testsresource.tests.descriptionresource.tests.expectedOutputUrlresource.tests.expectedRedirectResponseCoderesource.tests.headersresource.tests.headers.nameresource.tests.headers.valueresource.tests.hostresource.tests.path
如需其他支援的運算資源,請參閱 Compute Engine 自訂限制頁面。
政策繼承
根據預設,機構政策會由您強制執行政策的資源子項繼承。舉例來說,如果您對資料夾套用政策, Google Cloud 就會對資料夾中的所有專案套用政策。如要進一步瞭解這項行為和如何變更,請參閱「階層評估規則」。
事前準備
-
如果尚未設定,請先設定驗證機制。驗證是指驗證身分,以便存取 Google Cloud 服務和 API 的程序。如要從本機開發環境執行程式碼或範例,請選取下列任一選項,以便驗證 Compute Engine:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
-
After installing the Google Cloud CLI, initialize it by running the following command:
gcloud initIf you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
- Set a default region and zone.
- 請務必確認您知道自己的機構 ID。
-
機構資源_types 中的機構政策管理員 (
roles/orgpolicy.policyAdmin) -
如要測試負載平衡資源的限制條件,請按照下列步驟操作:
Compute 負載平衡器管理員 (v1) (
roles/compute.loadBalancerAdmin.v1) 在專案資源上 -
orgpolicy.constraints.list -
orgpolicy.policies.create -
orgpolicy.policies.delete -
orgpolicy.policies.list -
orgpolicy.policies.update -
orgpolicy.policy.get -
orgpolicy.policy.set 在 Google Cloud 控制台中,前往「Organization policies」(機構政策) 頁面。
選取頁面頂端的專案挑選器。
在「Select a resource」視窗中,選取要建立自訂限制的機構。
按一下 「自訂限制」。
在「顯示名稱」方塊中,輸入限制的易懂名稱。這個欄位的長度上限為 200 個半形字元。請勿在限制名稱中使用 PII 或機密資料,因為錯誤訊息可能會顯示上述資訊。
在「Constraint ID」方塊中,輸入新自訂限制條件的名稱。自訂限制的開頭必須為
custom.,且只能包含大寫英文字母、小寫英文字母或數字,例如custom.enforceTCPHealthCheckPort1024。這個欄位的長度上限為 70 個半形字元,不含前置字元 (例如organizations/123456789/customConstraints/custom.)。在「說明」方塊中,輸入限制的易讀說明,以便在違反政策時顯示為錯誤訊息。這個欄位的長度上限為 2000 個半形字元。
在「Resource type」方塊中,選取包含要限制的物件和欄位的 Google CloudREST 資源名稱。例如:
compute.googleapis.com/HealthCheck。在「強制執行方法」下方,選取是否要在 REST
CREATE方法上強制執行限制。如要定義條件,請按一下 編輯條件。
在「Add condition」面板中,建立參照支援的服務資源 (例如
resource.tcpHealthCheck.port >= 1024按一下 [儲存]。
在「動作」下方,選取在符合上述條件時,要允許或拒絕評估方法。
按一下「建立限制條件」。
ORGANIZATION_ID:貴機構 ID,例如123456789。CONSTRAINT_NAME:您要為新自訂限制設定的名稱。自訂限制的開頭必須為custom.,且只能包含大寫英文字母、小寫英文字母或數字。例如,custom.enforceTCPHealthCheckPort1024。這個欄位的長度上限為 70 個半形字元,不含前置字元 (例如organizations/123456789/customConstraints/custom.)。RESOURCE_NAME:包含您要限制的物件和欄位的 Compute Engine API REST 資源名稱 (而非 URI)。例如:HealthCheck。CONDITION:針對支援的服務資源表示法編寫的 CEL 條件。這個欄位的長度上限為 1000 個半形字元。如要進一步瞭解可用於寫入條件的資源,請參閱「支援的資源」。例如:"resource.tcpHealthCheck.port >= 1024"。ACTION:如果符合condition,則採取的動作。這個欄位可以是ALLOW或DENY。DISPLAY_NAME:限制的易讀名稱。這個欄位的長度上限為 200 個半形字元。DESCRIPTION:在違反政策時,要以錯誤訊息形式顯示的限制說明。這個欄位的長度上限為 2000 個半形字元。- 在 Google Cloud 控制台中,前往「Organization policies」(機構政策) 頁面。
- 在專案選擇工具中,選取要設定機構政策的專案。
- 在「Organization policies」頁面的清單中選取限制條件,即可查看該限制條件的「Policy details」頁面。
- 如要設定這項資源的機構政策,請按一下「管理政策」。
- 在「Edit policy」(編輯政策) 頁面上,選取「Override parent's policy」(覆寫父項政策)。
- 按一下「新增規則」。
- 在「Enforcement」(強制執行) 部分,選取是否要啟用這項機構政策的強制執行機制。
- 選用:如要讓機構政策依標記而定,請按一下「新增條件」。請注意,如果您在組織政策中新增條件規則,則必須至少新增一項無條件規則,否則無法儲存政策。詳情請參閱「設定含有標記的組織政策」。
- 按一下「測試變更」,模擬機構政策的效果。舊版受管理限制條件無法進行政策模擬。詳情請參閱「 使用 Policy Simulator 測試組織政策變更」。
- 如要完成並套用機構政策,請按一下「設定政策」。這項政策最多需要 15 分鐘才會生效。
-
PROJECT_ID:您要強制執行限制的專案。 -
CONSTRAINT_NAME:您為自訂限制定義的名稱。例如:custom.enforceTCPHealthCheckPort1024 為預先定義的限制建立 YAML 檔案。
name: organizations/ORGANIZATION_ID/customConstraints/custom.CONSTRAINT_NAME resource_types: compute.googleapis.com/SslPolicy methodTypes: - CREATE - UPDATE condition: resource.FIELD_NAME == VALUE action_type: ACTION display_name: DISPLAY_NAME description: DESCRIPTION以下範例會將最低傳輸層安全標準 (TLS) 版本限制為 1.2:
name: organizations/012345678901/customConstraints/custom.restrictLbTlsVersion resource_types: compute.googleapis.com/SslPolicy methodTypes: - CREATE - UPDATE condition: resource.minTlsVersion == "TLS_1_2" action_type: ALLOW display_name: Restrict Load Balancing TLS version to 1.2 description: Only allow SSL policies to be created or updated if the minimum TLS version is 1.2 where this custom constraint is enforced.以下是另一個自訂限制的範例,只有在符合下列條件時,才允許建立 SSL 資源:
- 最低 TLS 版本設為 1.2。
- SSL 政策包含 CUSTOM 設定檔,可讓您個別選取 SSL 功能。
- SSL 政策不包含 ChaCha20-Poly1305 加密組合。
name: organizations/ORGANIZATION_ID/customConstraints/custom.restrictLbTlsCapabilities resourceTypes: - compute.googleapis.com/SslPolicy methodTypes: - CREATE - UPDATE condition: resource.minTlsVersion == "TLS_1_2" && resource.profile == "CUSTOM" && !resource.customFeatures.exists(feature, feature.contains("CHACHA20_POLY1305")) actionType: ALLOW displayName: Restrict Load Balancing TLS Capabilities description: Only allow SSL Policy resources to be created or updated if the minimum TLS version is 1.2, profile is CUSTOM, and no ChaCha20-Poly1305 cipher suite is used where this custom constraint is enforced.將自訂限制新增至貴機構。
gcloud org-policies set-custom-constraint PATH_TO_FILE
確認貴機構中有自訂限制。
gcloud org-policies list-custom-constraints \ --organization=ORGANIZATION_ID建立限制的政策檔案。
name: projects/PROJECT_ID/policies/custom.CONSTRAINT_NAME spec: rules: – enforce: true
更改下列內容:
PROJECT_ID:您的 Google Cloud 專案 IDCONSTRAINT_NAME:限制名稱
強制執行政策。
gcloud org-policies set-policy PATH_TO_POLICY_FILE
將
PATH_TO_POLICY_FILE替換為政策檔案的完整路徑。假設您已建立 YAML 檔案,將最低 TLS 版本限制為 1.2,請建立 SSL 政策並將
minTlsVersion設為TLS_1_0,以便測試限制條件:gcloud compute ssl-policies create SSL_POLICY_NAME \ --min-tls-version=1.0 \ --project=PROJECT_ID輸出結果會與下列內容相似:
ERROR: (gcloud.compute.ssl-policies.update) HTTPError 412: Operation denied by custom org policy: [customConstraints/custom. restrictLbTlsVersion] : Only allow SSL policy resources to be created or updated if the minimum TLS version is 1.2 where this custom constraint is enforced.
- 您的機構 ID
專案 ID
建立包含下列資訊的
enforceTCPHealthCheckPort1024.yaml限制檔案:name: organizations/ORGANIZATION_ID/customConstraints/custom.enforceTCPHealthCheckPort1024 resource_types: – compute.googleapis.com/HealthCheck condition: "resource.tcpHealthCheck.port >= 1024" method_types: – CREATE – UPDATE action_type: ALLOW display_name: Only TCP HealthCheck Port >= 1024 Allowed. description: Prevent TCP health checks on well-known ports.
設定自訂限制。
gcloud org-policies set-custom-constraint enforceTCPHealthCheckPort1024.yaml
請使用以下資訊建立
enforceTCPHealthCheckPort1024-policy.yaml政策檔案。在這個範例中,我們會在專案層級強制執行這項限制,但您也可以在機構或資料夾層級設定這項限制。將PROJECT_ID替換為您的專案 ID。name: projects/PROJECT_ID/policies/custom.enforceTCPHealthCheckPort1024 spec: rules: – enforce: true
強制執行政策。
gcloud org-policies set-policy enforceTCPHealthCheckPort1024-policy.yaml
嘗試在禁止的通訊埠 80 上建立 TCP 健康狀態檢查,以測試限制。
gcloud compute health-checks create tcp my-tcp-health-check \ --project=PROJECT_ID \ --region=us-central1 \ --port=80 \ --check-interval=5s \ --timeout=5s \ --healthy-threshold=4 \ --unhealthy-threshold=5 \輸出結果會與下列內容相似:
ERROR: (gcloud.compute.healthChecks.create) Could not fetch resource: – Operation denied by custom org policies: [customConstraints/
custom.enforceTCPHealthCheckPort1024]: Only TCP HealthCheck Port >= 1024 Allowed.不支援舊版健康狀態檢查 (舊版全域 (HTTP) 和 舊版全域 (HTTPS))。
對於某些 Compute Engine 資源 (例如 Compute Engine SSL 政策資源),系統也會在
UPDATE方法上強制執行自訂限制。
必要的角色
如要取得管理 Cloud Load Balancing 資源機構政策所需的權限,請要求管理員授予下列 IAM 角色:
如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和機構的存取權」。
這些預先定義的角色包含管理 Cloud Load Balancing 資源的機構政策所需的權限。如要查看確切的必要權限,請展開「必要權限」部分:
所需權限
必須具備下列權限,才能管理 Cloud Load Balancing 資源的組織政策:
設定自訂限制
自訂限制是由您要強制執行機構政策的服務支援的資源、方法、條件和動作所定義。您可以使用一般運算語言 (CEL) 定義自訂限制條件。如要進一步瞭解如何使用 CEL 在自訂限制中建立條件,請參閱「建立及管理自訂機構政策」一文中的 CEL 相關部分。
您可以使用 Google Cloud 主控台或 gcloud CLI 建立自訂限制,並設定用於機構政策。
控制台
在每個欄位中輸入值後,這個自訂限制的對等 YAML 設定會顯示在右側。
gcloud
如要使用 gcloud CLI 建立自訂限制,請為自訂限制建立 YAML 檔案:
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME resource_types: - compute.googleapis.com/RESOURCE_NAME method_types: - CREATE - UPDATE condition: CONDITION action_type: ACTION display_name: DISPLAY_NAME description: DESCRIPTION更改下列內容:
如要進一步瞭解如何建立自訂限制,請參閱「建立及管理自訂機構政策」。
為新自訂限制建立 YAML 檔案後,您必須設定該檔案,以便在貴機構中使用機構政策。如要設定自訂限制條件,請使用gcloud org-policies set-custom-constraint指令:gcloud org-policies set-custom-constraint CONSTRAINT_PATH
CONSTRAINT_PATH替換為自訂限制檔案的完整路徑。例如:/home/user/customconstraint.yaml。完成後,自訂限制就會列在 Google Cloud 機構政策清單中,成為機構政策。如要確認自訂限制是否存在,請使用gcloud org-policies list-custom-constraints指令:gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
ORGANIZATION_ID替換為機構資源的 ID。詳情請參閱「查看組織政策」。強制執行自訂限制
您可以建立參照限制的機構政策,然後將該機構政策套用至 Google Cloud 資源,藉此強制執行限制。控制台
gcloud
如要建立包含布林值規則的機構政策,請建立參照限制的政策 YAML 檔案:
name: projects/PROJECT_ID/policies/CONSTRAINT_NAME spec: rules: - enforce: true
取代下列內容:
如要強制執行包含限制的機構政策,請執行下列指令:
gcloud org-policies set-policy POLICY_PATH
將
POLICY_PATH替換為機構政策 YAML 檔案的完整路徑。這項政策最多需要 15 分鐘才會生效。範例:使用自訂限制來限制 TLS 功能
如要使用自訂限制來限制支援的負載平衡器的 TLS 功能,請在貴機構中定義使用預先定義
constraints/compute.requireSslPolicy限制的政策。定義政策後,請按照下列步驟設定及使用自訂限制條件。範例:建立限制,將 TCP 健康狀態檢查通訊埠限制為至少 1024
以下範例會建立自訂限制和政策,將 TCP 健康狀態檢查通訊埠編號限制為至少
1024。開始之前,請先瞭解下列事項:
gcloud
常見用途的更多範例
以下各節將提供一些實用的自訂限制語法:
後端值區
用途 語法 要求所有後端值區都啟用 Cloud CDN name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn resourceTypes: - compute.googleapis.com/BackendBucket methodTypes: - CREATE - UPDATE condition: "resource.enableCdn == true" actionType: ALLOW displayName: Require all backend buckets to have Cloud CDN enabled description: All backend buckets must have Cloud CDN enabled.
後端服務
用途 語法 禁止使用 HTTP 和 TCP 做為後端服務通訊協定 name: organizations/ORGANIZATION_ID/customConstraints/custom.backendBucketEnableCdn resourceTypes: - compute.googleapis.com/BackendService methodTypes: - CREATE - UPDATE condition: "resource.serviceProtocol == 'HTTP' || resource.serviceProtocol == 'TCP'" actionType: DENY displayName: Disallow the use of HTTP and TCP as backend service protocols description: Backend services cannot configure HTTP or TCP as the backend service protocol.
轉送規則
用途 語法 要求轉送規則才能使用標準級 name: organizations/ORGANIZATION_ID/customConstraints/custom.forwardingRulesStandardTier resourceTypes: - compute.googleapis.com/ForwardingRule methodTypes: - CREATE - UPDATE condition: "resource.networkTier == 'STANDARD'" actionType: ALLOW displayName: Require forwarding rules to use Standard Tier description: Forwarding rules must use the Standard Network Service Tier.
健康狀態檢查
用途 語法 要求所有健康狀態檢查通訊協定都必須在 1024 以上通訊埠上執行 name: organizations/ORGANIZATION_ID/customConstraints/custom.healthCheckPortMin1024 resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.tcpHealthCheck.port >= 1024 && resource.httpHealthCheck.port >= 1024 && resource.httpsHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 && resource.sslHealthCheck.port >= 1024 &&resource.http2HealthCheck.port >= 1024 && resource.grpcHealthCheck.port >= 1024" actionType: ALLOW displayName: Require port 1024 or greater for all health checks description: All health check protocols must use a port of 1024 or higher, to avoid well-known ports.
禁止 GRPC 健康狀態檢查 name: organizations/ORGANIZATION_ID/customConstraints/custom.disallowGRPCHealthChecks resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.type == 'GRPC'" actionType: DENY displayName: Disallow GRPC health checks description: Health checks aren't allowed to use GRPC.
避免頻繁的健康狀態檢查探測要求 name: organizations/ORGANIZATION_ID/customConstraints/custom.minHealthCheckFrequency resourceTypes: - compute.googleapis.com/HealthCheck methodTypes: - CREATE - UPDATE condition: "resource.checkIntervalSec >= 30" actionType: ALLOW displayName: Disallow fast health check probes description: Prevent health checks from having a probe frequency under 30 seconds.
目標 Proxy
用途 語法 禁止用戶端 HTTPS 保持運作逾時值超過 1000 秒 name: organizations/ORGANIZATION_ID/customConstraints/custom.clientHTTPSKeepalive1000Sec resourceTypes: - compute.googleapis.com/TargetHttpsProxy methodTypes: - CREATE - UPDATE condition: "resource.httpKeepAliveTimeoutSec > 1000" actionType: DENY displayName: Disallow client HTTPS keepalive timeout greater than 1000 seconds description: Disallow client HTTPS keepalive timeout values greater than 1000 seconds.
網址對應
用途 語法 要求網址對應必須針對 HTTP 500狀態碼提供自訂錯誤回應政策name: organizations/ORGANIZATION_ID/customConstraints/custom.urlMapCustomResponseHTTP500 resourceTypes: - compute.googleapis.com/UrlMaps methodTypes: - CREATE - UPDATE condition: "resource.defaultCustomErrorResponsePolicy.errorResponseRule.exists(value, value.matchResponseCode == 500)" actionType: ALLOW displayName: Require URL maps to have a custom error response policy for HTTP 500 errors description: URL maps must have a custom error response policy configured for HTTP 500 errors.
目標執行個體
用途 語法 要求目標執行個體的名稱開頭必須是「targetInstance」字串 name: organizations/ORGANIZATION_ID/customConstraints/custom.targetInstanceConstraint resourceTypes: - compute.googleapis.com/TargetInstance methodTypes: - CREATE - UPDATE condition: "resource.name.startsWith('targetInstance')" actionType: ALLOW displayName: Require target instances to have a name that starts with the string "targetInstance" description: Target instances must have resource names that start with the string "targetInstance"
目標集區
用途 語法 要求目標集區必須具有 CLIENT_IP 工作階段相依性 name: organizations/ORGANIZATION_ID/customConstraints/custom.targetPoolConstraint resourceTypes: - compute.googleapis.com/TargetPool methodTypes: - CREATE - UPDATE condition: "resource.sessionAffinity == 'CLIENT_IP'" actionType: ALLOW displayName: Require target pools to use CLIENT_IP session affinity description: Target pools must use CLIENT_IP session affinity
限制
後續步驟
除非另有註明,否則本頁面中的內容是採用創用 CC 姓名標示 4.0 授權,程式碼範例則為阿帕契 2.0 授權。詳情請參閱《Google Developers 網站政策》。Java 是 Oracle 和/或其關聯企業的註冊商標。
上次更新時間:2025-07-03 (世界標準時間)。
-