The YAML attribute reference describes the same attributes that are found
in the Google Cloud console, however the Google Cloud console uses
slightly different names.
Click Save.
gcloud
To update a perimeter policy, run one of the following commands replacing
variables with appropriate values:
The YAML attribute reference describes the same attributes that are found
in the Google Cloud console, however the Google Cloud console uses
slightly different names.
Click Create.
gcloud
Run the following command during the creation of a perimeter to create an
ingress/egress policy:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Configuring ingress and egress policies\n\nThis page explains how to configure [ingress and egress policies](/vpc-service-controls/docs/ingress-egress-rules)\nfor your VPC Service Controls perimeter.\n\nIngress and egress policies can be configured for existing perimeters or\nincluded when a perimeter is created.\n\nUpdating ingress and egress policies for a service perimeter\n------------------------------------------------------------\n\n### Console\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to the VPC Service Controls page](https://console.cloud.google.com/security/service-perimeter)\n2. Select an existing service perimeter.\n\n3. Click **Edit**.\n\n4. On the **Edit service perimeter** page, click **Ingress policy** or **Egress policy**.\n\n5. Expand the ingress or egress rule that you want to edit.\n\n6. In the **From** and **To** sections, edit the ingress or egress rule attributes\n that you want to change.\n\n - For the list of ingress rule attributes, see [Ingress rules reference](/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference).\n\n | **Note:** If you select **All sources** in the **Sources** list of the ingress rule, the ingress policy allows access from any network origin.\n - For the list of egress rule attributes, see [Egress rules reference](/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference).\n\n The YAML attribute reference describes the same attributes that are found\n in the Google Cloud console, however the Google Cloud console uses\n slightly different names.\n7. Click **Save**.\n\n### gcloud\n\n| **Note:** the following gcloud commands assume that a default access policy has been configured. For more details, see [Get the name and etag of an access policy](/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy)\n\nTo update a perimeter policy, run one of the following commands replacing\n\u003cvar translate=\"no\"\u003evariables\u003c/var\u003e with appropriate values: \n\n```\ngcloud access-context-manager perimeters update PERIMETER_NAME --set-ingress-policies=INGRESS-FILENAME.yaml\n\ngcloud access-context-manager perimeters update PERIMETER_NAME --set-egress-policies=EGRESS-FILENAME.yaml\n```\n\nFor example: \n\n```\ngcloud access-context-manager perimeters update my-perimeter --set-ingress-policies=my-ingress-rule.yaml\n```\n\nFor information about configuring ingress and egress rules as YAML files, see [Ingress\nrules reference](/vpc-service-controls/docs/ingress-egress-rules#ingress_rules_reference)\nand [Egress rules reference](/vpc-service-controls/docs/ingress-egress-rules#egress_rules_reference).\n\nSetting ingress and egress policies during perimeter creation\n-------------------------------------------------------------\n\n### Console\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to the VPC Service Controls page](https://console.cloud.google.com/security/service-perimeter)\n2. Click **New perimeter**.\n\n For information about the other service perimeter configurations, see [Create a\n service perimeter](/vpc-service-controls/docs/create-service-perimeters#console).\n3. On the **Create a service perimeter** page, click **Ingress policy** or **Egress policy**.\n\n4. Click **Add rule**.\n\n5. In the **From** and **To** sections, specify the ingress or egress rule attributes\n that you want to configure.\n\n - For the list of ingress rule attributes, see [Ingress rules reference](/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference).\n\n | **Note:** If you select **All sources** in the **Sources** list of the ingress rule, the ingress policy allows access from any network origin.\n - For the list of egress rule attributes, see [Egress rules reference](/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference).\n\n The YAML attribute reference describes the same attributes that are found\n in the Google Cloud console, however the Google Cloud console uses\n slightly different names.\n6. Click **Create**.\n\n### gcloud\n\n| **Note:** the following gcloud commands assume that a default access policy has been configured. For more details, see [Get the name and etag of an access policy](/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy)\n\nRun the following command during the creation of a perimeter to create an\ningress/egress policy: \n\n```\ngcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --ingress-policies=INGRESS-FILENAME.yaml --restricted-services=SERVICE --resources=\"projects/PROJECT\"\n\ngcloud access-context-manager perimeters create PERIMETER_NAME --title=TITLE --egress-policies=-EGRESS-FILENAME.yaml --restricted-services=SERVICE --resources=\"projects/PROJECT\"\n```\n\nFor example: \n\n```\ngcloud access-context-manager perimeters create my-perimeter --title=perimeter-for-project-1 --ingress-policies=my-ingress-rule.yaml --restricted-services=storage.googelapis.com --resources=\"projects/myproject\"\n```\n\nFor information about configuring ingress and egress rules as YAML files, see [Ingress\nrules reference](/vpc-service-controls/docs/ingress-egress-rules#ingress_rules_reference)\nand [Egress rules reference](/vpc-service-controls/docs/ingress-egress-rules#egress_rules_reference)."]]
