Organization Policy Service gives you centralized, programmatic control over your organization's resources. As the organization policy administrator, you can define an organization policy, which is a set of restrictions called constraints that apply to Google Cloud resources and descendants of those resources in the Google Cloud resource hierarchy.
This page provides supplemental information about organization policy constraints that apply to Cloud Load Balancing. You use organization policy constraints to enforce settings across an entire project, folder, or organization.
Organization policies only apply to new resources. Constraints are not enforced retroactively. If you have pre-existing load-balancing resources that are in violation of a new organization policy, you will need to address such violations manually.
For a complete list of available constraints, see Organization policy constraints.
Use an organization policy to restrict the Cloud Load Balancing types that can be created in your organization. Set the following organization policy constraint:
constraints/compute.restrictLoadBalancerCreationForTypesWhen you set the compute.restrictLoadBalancerCreationForTypes
constraint, you specify an allowlist or denylist of the Cloud Load Balancing
types. The list of allowed or denied values can only include values from the
following list:
Application Load Balancers
GLOBAL_EXTERNAL_MANAGED_HTTP_HTTPS for the global external Application Load BalancerEXTERNAL_HTTP_HTTPS for the classic Application Load BalancerGLOBAL_INTERNAL_MANAGED_HTTP_HTTPS for the cross-region internal Application Load BalancerEXTERNAL_MANAGED_HTTP_HTTPS for the regional external Application Load BalancerINTERNAL_HTTP_HTTPS for the regional internal Application Load BalancerProxy Network Load Balancers
GLOBAL_EXTERNAL_MANAGED_TCP_PROXY for the global external proxy Network Load Balancer with a
TCP proxyGLOBAL_EXTERNAL_MANAGED_SSL_PROXY for the global external proxy Network Load Balancer with
an SSL proxyEXTERNAL_TCP_PROXY for the classic proxy Network Load Balancer with a TCP proxyEXTERNAL_SSL_PROXY for the classic proxy Network Load Balancer with an SSL proxyGLOBAL_INTERNAL_MANAGED_TCP_PROXY for the cross-region internal proxy Network Load Balancer
with a TCP proxyREGIONAL_EXTERNAL_MANAGED_TCP_PROXY for the regional external proxy Network Load Balancer
with a TCP proxyREGIONAL_INTERNAL_MANAGED_TCP_PROXY for the regional internal proxy Network Load Balancer
with a TCP proxyPassthrough Network Load Balancers
EXTERNAL_NETWORK_TCP_UDP for the regional external passthrough Network Load BalancerINTERNAL_TCP_UDP for the internal passthrough Network Load BalancerTo include all internal or all external load balancer types, use the in:
prefix followed by INTERNAL or EXTERNAL. For example, allowing in:INTERNAL
allows all internal load balancers from the preceding list.
For sample instructions about how to use this constraint, see Set up list constraints with organization policies.
After you set the policy, the policy is enforced when adding the respective Google Cloud forwarding rules. The constraint is not enforced on existing Cloud Load Balancing configurations.
If you attempt to create a load balancer of a type that violates the constraint, the attempt fails and an error message is generated. The error message has the following format:
Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/PROJECT_NAME. Forwarding Rule projects/PROJECT_NAME/region/REGION/forwardingRules/FORWARDING_RULE_NAME of type SCHEME is not allowed.
If you set multiple restrictLoadBalancerCreationForTypes constraints at
different resource levels, they are enforced
hierarchically.
For this reason, we recommended that you set the inheritFromParent field to
true, which ensures that policies at higher layers are also considered.
If you are using Google Kubernetes Engine (GKE), and someone in your organization has created an organization policy that limits which types of load balancers can be created, then you'll see an error message similar to the following:
Warning Sync 28s loadbalancer-controller Error during sync: error running load balancer syncing routine: loadbalancer FORWARDING_RULE_NAME does not exist: googleapi: Error 412: Constraint constraints/compute.restrictLoadBalancerCreationForTypes violated for projects/PROJECT_ID. Forwarding Rule projects/PROJECT_ID/global/forwardingRules/FORWARDING_RULE_NAME of type LOAD_BALANCER_TYPE is not allowed, conditionNotMet
Depending on the policy, this might limit your ability to create new load balancer resources such as Services, Ingresses, or Gateways. Contact your organization policy administrators to help you understand which restrictions are in place.
You can view GKE error messages by running the following commands:
kubectl get events -w
kubectl describe RESOURCE_KIND NAME
Replace the following:
RESOURCE_KIND: the kind of load balancer, ingress or serviceNAME: the name of the load balancerThis legacy managed constraint disables creation of global load-balancing products. When enforced, only regional load-balancing products without global dependencies can be created.
constraints/compute.disableGlobalLoadBalancingBy default, users are allowed to create global load-balancing products.
For sample instructions about how to use this constraint, see Set up boolean constraints with organization policies.
Use an organization policy to restrict the types of protocol forwarding deployments (internal or external) that can be created in your organization. Set the following organization policy constraint:
constraints/compute.managed.restrictProtocolForwardingCreationForTypesTo configure the compute.managed.restrictProtocolForwardingCreationForTypes
constraint, you specify an allowlist or denylist of the type of protocol
forwarding deployment to be allowed or denied. The list of allowed or denied
values can only include the following values:
INTERNALEXTERNALBy default, newly created organizations have this policy configured to allow
only INTERNAL protocol forwarding. That is, any forwarding rules associated
with target instances are limited to using internal IP addresses only. If you
want to use protocol forwarding with external IP addresses, or, if you want to
prohibit users from using protocol forwarding with internal IP addresses, then
you need to update this organization policy.
After you update the policy, the changes are enforced when you create any new forwarding rules associated with target instances. The constraint is not enforced retroactively on existing protocol forwarding configurations.
For sample instructions about how to use this constraint, see Set up list constraints with organization policies.
If you attempt to create a protocol forwarding deployment of a type that violates the constraint, the attempt fails and an error message is generated. The error message has the following format:
Constraint constraints/compute.managed.restrictProtocolForwardingCreationForTypes violated for projects/PROJECT_NAME. Forwarding Rule projects/PROJECT_NAME/region/REGION/forwardingRules/FORWARDING_RULE_NAME of type SCHEME is not allowed.
If you set multiple compute.managed.restrictProtocolForwardingCreationForTypes
constraints at different resource levels, and if you set the
inheritFromParent field to true, then the constraints are enforced
hierarchically.
Use the following organization policies to restrict how users are allowed to set up Shared VPC deployments.
This legacy managed constraint lets you restrict the Shared VPC host projects that a resource can attach to.
constraints/compute.restrictSharedVpcHostProjectsBy default, a project can attach to any host project in the same organization,
thereby becoming a service project. When you set the
compute.restrictSharedVpcHostProjects constraint, you specify an allowlist or
denylist of host projects in the following ways:
projects/PROJECT_IDunder:organizations/ORGANIZATION_IDunder:folders/FOLDER_IDFor sample instructions about how to use this constraint, see Set up list constraints with organization policies.
This legacy managed constraint defines the set of Shared VPC subnets that eligible resources can use. This constraint does not apply to resources within the same project.
constraints/compute.restrictSharedVpcSubnetworksBy default, eligible resources can use any Shared VPC subnet. When
you set the compute.restrictSharedVpcSubnetworks constraint, you specify a
restricted list of subnets in the following ways:
projects/PROJECT_ID/regions/REGION/subnetworks/SUBNET_NAMEunder:organizations/ORGANIZATION_IDunder:folders/FOLDER_IDunder:projects/PROJECT_IDFor sample instructions about how to use this constraint, see Set up list constraints with organization policies.
You can use this constraint to limit the backend services and backend buckets that a URL map can reference. This constraint does not apply to backend services and backend buckets within the same project as the URL map.
constraints/compute.restrictCrossProjectServicesBy default, a URL map in one project can reference compatible backend services
and backend buckets from other projects in the same organization as long as the
user performing the action has the compute.backendServices.use,
compute.regionBackendServices.use, or compute.backendBuckets.use permission.
To configure the restrictCrossProjectServices constraint, you can specify an
allowlist or denylist of backend services or backend buckets in the following
ways:
projects/PROJECT_ID/regions/REGION/backendservices/BACKEND_SERVICE_NAMEprojects/PROJECT_ID/global/backendservices/BACKEND_SERVICE_NAMESpecify backend buckets in the following format:
projects/PROJECT_ID/regions/REGION/backendbuckets/BACKEND_BUCKET_NAMEprojects/PROJECT_ID/global/backendbuckets/BACKEND_BUCKET_NAMESpecify a project, folder, or organization. The constraint applies to all backend services and backend buckets under the specified resource in the resource hierarchy. Use the following format:
under:organizations/ORGANIZATION_IDunder:folders/FOLDER_IDunder:projects/PROJECT_IDAfter you set up an organization policy with this constraint, the constraint
goes into effect the next time you use the gcloud compute url-maps command to
attach a backend service or a backend bucket to a URL map. The constraint does
not retroactively affect existing references to any cross-project backend
services or backend buckets.
This constraint applies to all deployment types, Shared VPC included. To
avoid conflicts, we recommend not using both this constraint and the
compute.restrictSharedVpcBackendServices constraint described in the next
section.
For sample instructions about how to use this constraint, see Set up list constraints with organization policies.
You can use this constraint to limit the backend services that a URL map can reference in Shared VPC deployments that use cross-project service referencing. This constraint does not apply to backend services within the same project as the URL map.
constraints/compute.restrictSharedVpcBackendServicesWe recommend using the compute.restrictCrossProjectServices constraint
documented in the previous section instead. The
compute.restrictCrossProjectServices constraint applies to all deployment
types, Shared VPC or otherwise, and applies to both backend buckets and
backend services.
This legacy managed constraint restricts the set of users that can remove a
Shared VPC host project lien without organization-level permission where
this constraint is already set to True.
constraints/compute.restrictXpnProjectLienRemovalBy default, any user with the permission to update liens can remove a Shared VPC host project lien. Enforcing this constraint requires that permission be granted at the organization level.
For sample instructions about how to use this constraint, see Set up boolean constraints with organization policies.
To meet your compliance requirements and restrict certain Transport Layer Security (TLS) capabilities, you can create the following organization policy constraint and use it along with custom constraints for SSL policy resources:
constraints/compute.requireSslPolicyBy using the compute.requireSslPolicy constraint along with your own
custom constraints for SSL policy fields,
you can create restrictions tailored to your deployments. For example, you can
do the following:
To enforce an SSL policy for an Application Load Balancer or a proxy Network Load Balancer, you must attach it to the load balancer's target HTTPS proxy or target SSL proxy.
To update existing SSL policies, see Manage SSL policies.
To perform this task, you must have the following permissions:
roles/orgpolicy.policyAdmin). For more information, see
Access control for organization resources with IAM.To set an organization policy from the console, complete the following steps:
For detailed instructions about customizing organization policies by using the Google Cloud console, see Customizing policies for boolean constraints.
To enable enforcement of a constraint that uses boolean rules, use the
gcloud resource-manager org-policies
enable-enforce
command as follows.
To enable restriction of Shared VPC project lien removal:
gcloud resource-manager org-policies enable-enforce \
--organization ORGANIZATION_ID \
constraints/compute.restrictXpnProjectLienRemoval
To disable global load balancing:
gcloud resource-manager org-policies enable-enforce \
--organization ORGANIZATION_ID \
constraints/compute.disableGlobalLoadBalancing
For detailed instructions about working with boolean rules in
gcloud, see Use boolean rules in organization policy.