Create and manage network policies
This document describes how to use network policies to control whether your VMware workloads can access or be accessed from the internet.
Each network policy is associated with a VMware Engine network, and VMware Engine networks can be either regional or global. Standard VMware Engine Networks are global resources, while Legacy VMware Engine Networks are regional.
A network policy applies to all private clouds associated with the VMware Engine network. For legacy networks, if you have private clouds deployed in more than one region and you want to enable internet access or the external IP address service, you must create a network policy in each region.
Create a network policy
Create a network policy using the console, gcloud, or the API.
Console
To create a new network policy using the Google Cloud console:
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to associate the network policy with. 
- Click Create. 
- Provide information about the new network policy: - Network policy name: a name to identify the network policy
- Network policy description: a description of the network policy
- VMware Engine network: the VMware Engine network to associate the policy with
- Region: the region where you want the network policy to apply
 
- In the Policy details section, enable or disable network services: - Internet access service: When enabled, VMware Engine allows outbound traffic from internal IP addresses to the internet.
- External IP address service: When enabled, VMware Engine lets you reserve external IP addresses for internal IP addresses in the associated private cloud. External IP addresses provide inbound traffic access to internal IP addresses from the internet. - This service can only be enabled when the internet access service is also enabled. 
 
- In the Edge services address range field, enter the IP address range to use when addressing the VMware Engine public IP gateway (/26 address range). 
- Click Create. VMware Engine begins creating your new network policy. 
gcloud
In gcloud, run the network-policies create
command:
gcloud vmware network-policies create NETWORK_POLICY_ID \ --location LOCATION --vmware-engine-network NETWORK_ID \ --edge-services-cidr=EDGE_SERVICES_CIDR [--external-ip-access] \ [--internet-access]
Replace the following:
- NETWORK_POLICY_ID: a name for this network policy
- LOCATION: the location of this network policy; this must match the VMware Engine network
- NETWORK_ID: the VMware Engine network name
- EDGE_SERVICES_CIDR: the IP address range to use when addressing the VMware Engine public IP gateway (/26 address range)
- --external-ip-access: whether to enable external IP addresses to be assigned to VMware workloads. Must also have- --internet-accessenabled.
- --internet-access: whether VMWare workloads can access the internet
API
In the API, make a POST request:
POST https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies?networkPolicyId=NETWORK_POLICY_ID
'{
  "internetAccess": INTERNET_ACCESS,
  "externalIp": EXTERNAL_IP,
  "vmwareEngineNetwork": "projects/PROJECT_ID/locations/LOCATION/vmwareEngineNetworks/NETWORK_ID"
  "edgeServicesCidr": "EDGE_SERVICES_CIDR"
}'Replace the following:
- PROJECT_ID: the project for this request
- LOCATION: the location of this network policy; this must match the VMware Engine network
- NETWORK_POLICY_ID: a name for this network policy
- INTERNET_ACCESS: whether VMWare workloads can access the internet; set this to- trueor- false
- EXTERNAL_IP: whether to enable external IP addresses to be assigned to VMware workloads. Must also have- internetAccessenabled; set this to- trueor- false.
- NETWORK_ID: the VMware Engine network name
- EDGE_SERVICES_CIDR: the IP address range to use when addressing the VMware Engine public IP gateway (/26 address range)
Edit a network policy
Console
To edit an existing network policy using the Google Cloud console, do the following:
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to edit the network policy for. 
- In the list of network policies, find the network policy that you want to edit. 
- Click the More icon at the end of a row and select Edit. 
- On the page that appears, adjust the network policy as you need. 
- Click Save. 
gcloud
To update a network policy, use the network-policies update command:
gcloud vmware network-policies update NETWORK_POLICY_ID \ --location LOCATION \ --edge-services-cidr=EDGE_SERVICES_CIDR [--external-ip-access] \ [--internet-access]
Replace the following:
- NETWORK_POLICY_ID: the name of the network policy
- LOCATION: the location of this network policy
- EDGE_SERVICES_CIDR: the IP address range to use when addressing the VMware Engine public IP gateway (/26 address range)
- --external-ip-access: whether to enable external IP addresses to be assigned to VMware workloads. Must also have- --internet-accessenabled.
- --internet-access: whether VMWare workloads can access the internet
API
In the API, make a PATCH request:
POST https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies?networkPolicyId=NETWORK_POLICY_ID
'{
  "internetAccess": INTERNET_ACCESS,
  "externalIp": EXTERNAL_IP,
  "edgeServicesCidr": "EDGE_SERVICES_CIDR"
}'Replace the following:
- PROJECT_ID: the project for this request
- LOCATION: the location of this network policy
- NETWORK_POLICY_ID: the name of this network policy
- INTERNET_ACCESS: whether VMWare workloads can access the internet; set this to- trueor- false
- EXTERNAL_IP: whether to enable external IP addresses to be assigned to VMware workloads. Must also have- internetAccessenabled; set this to- trueor- false.
- EDGE_SERVICES_CIDR: the IP address range to use when addressing the VMware Engine public IP gateway (/26 address range)
Delete a network policy
To delete an existing network policy, take the following steps.
Console
- In the Google Cloud console, go to the Network policies page. 
- Click Select a project and then select the organization, folder, or project that contains the VMware Engine network you want to delete the network policy for. 
- In the list of network policies, find the network policy that you want to delete. 
- Click the More icon at the end of a row and select Delete. 
gcloud
In gcloud, use the network-policies delete command:
gcloud vmware network-policies delete NETWORK_POLICY_ID
Replace NETWORK_POLICY_ID with the name of the network
policy to delete.
API
Make a DELETE request to the network policy resource:
DELETE https://vmwareengine.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/networkPolicies/NETWORK_POLICY_ID
Replace the following:
- PROJECT_ID: the project for this request
- LOCATION: the location of this network policy
- NETWORK_POLICY_ID: the name of this network policy