Network Policies
Keep projects private by default and open exactly the connections you need — ingress from peer projects, outbound IP ranges and domains, scoped to a project, container, or datastore.
A network policy controls which workloads can talk to your project (ingress) and which networks your workloads are allowed to reach (egress). Policies are defined once at the organisation level and attached wherever you need them, so the same rule set can guard an entire project or a single container.
Private by default
Every project is isolated. Workloads in one project can't reach workloads in another, and nothing outside a project can reach in, unless you explicitly allow it. A network policy is a set of allow rules layered on top of that baseline — you describe the connections that should be permitted, and everything else stays closed. Rules only ever add access; there is no way for a policy to widen access you didn't write down.
What a policy contains
| Rule | Controls | Example |
|---|---|---|
| Ingress peers | Which other projects in your organisation may reach the workloads this policy protects | Allow the frontend project to reach backend |
| Egress IP ranges | The outbound IP ranges your workloads may send traffic to | 10.0.0.0/8, 203.0.113.0/24 |
| Egress domains | The domains your workloads may reach, at the application layer (L7) | api.stripe.com |
| Ports | Optional port and protocol (TCP/UDP) scoping for the rules above | Only 443/TCP |
Adding any egress rule switches outbound traffic to deny-by-default: only the ranges and domains you list get through, while name resolution keeps working. A policy with no egress rules leaves outbound traffic open and only constrains ingress.
Layer 3/4 and application-layer (L7) rules
Ingress peers, egress IP ranges, and ports are Layer 3/4 controls — they work on addresses and ports. Egress domains are application-layer (L7) controls: they allow outbound connections based on the domain the request is actually going to, rather than a block of IP addresses that can change over time.
You can turn on application-layer controls explicitly, or they switch on automatically the moment you add an egress domain. A policy with only Layer 3/4 rules never uses the application layer.
Prefer egress domains over IP ranges when you're allowing traffic to a third-party service. Their IP addresses change without notice; the domain doesn't.
Where a policy applies
You choose the scope when you attach the policy:
- Whole project — applies to every container and datastore in the project, including ones deployed later. Use this for guardrails that should always hold.
- A single container — gives just that workload its own ingress peers or outbound allowances, without changing the rest of the project.
- A datastore — controls exactly which workloads may connect to a managed datastore. Application-layer domain rules don't apply to datastores; only the IP, port, and peer rules that gate who can reach them.
A policy attached to the whole project already covers every workload in it, so you don't need to attach the same policy to individual containers as well.
Create and attach in the Console
- Open Resources → Networking → Network Policies and choose Add Network Policy.
- Give it a name and handle, then add the rules you need — peer projects, egress IP ranges, egress domains, and optional ports.
- Save the policy. It now exists at the organisation level but isn't applied yet.
- Attach it: from a project's network-policies panel to cover the whole project, or from a container or datastore to scope it to that one workload.
Detaching removes the rules from that workload; the policy itself stays in your inventory for reuse elsewhere.
Billing
- A small per-policy base rate applies while the policy exists in your organisation.
- A per-region rate applies while the policy is attached to a project.
- Application-layer (L7) domain rules add a per-replica charge — roughly $4.50 to $7.00 per container replica per region, depending on the region — on the containers the policy applies to. Layer 3/4 rules (peers, IP ranges, ports) don't carry this charge. Datastores never incur the application-layer charge.
The Console shows the application-layer cost before you attach a policy that uses domain rules.