Network Policies

Keep projects private by default and open exactly the connections you need — ingress from peer projects, outbound IP ranges and domains, scoped to a project, container, or datastore.

Updated 9 Jul 20264 min read

A network policy controls which workloads can talk to your project (ingress) and which networks your workloads are allowed to reach (egress). Policies are defined once at the organisation level and attached wherever you need them, so the same rule set can guard an entire project or a single container.

Private by default

Every project is isolated. Workloads in one project can't reach workloads in another, and nothing outside a project can reach in, unless you explicitly allow it. A network policy is a set of allow rules layered on top of that baseline — you describe the connections that should be permitted, and everything else stays closed. Rules only ever add access; there is no way for a policy to widen access you didn't write down.

What a policy contains

RuleControlsExample
Ingress peersWhich other projects in your organisation may reach the workloads this policy protectsAllow the frontend project to reach backend
Egress IP rangesThe outbound IP ranges your workloads may send traffic to10.0.0.0/8, 203.0.113.0/24
Egress domainsThe domains your workloads may reach, at the application layer (L7)api.stripe.com
PortsOptional port and protocol (TCP/UDP) scoping for the rules aboveOnly 443/TCP
Note

Adding any egress rule switches outbound traffic to deny-by-default: only the ranges and domains you list get through, while name resolution keeps working. A policy with no egress rules leaves outbound traffic open and only constrains ingress.

Layer 3/4 and application-layer (L7) rules

Ingress peers, egress IP ranges, and ports are Layer 3/4 controls — they work on addresses and ports. Egress domains are application-layer (L7) controls: they allow outbound connections based on the domain the request is actually going to, rather than a block of IP addresses that can change over time.

You can turn on application-layer controls explicitly, or they switch on automatically the moment you add an egress domain. A policy with only Layer 3/4 rules never uses the application layer.

Tip

Prefer egress domains over IP ranges when you're allowing traffic to a third-party service. Their IP addresses change without notice; the domain doesn't.

Where a policy applies

You choose the scope when you attach the policy:

  • Whole project — applies to every container and datastore in the project, including ones deployed later. Use this for guardrails that should always hold.
  • A single container — gives just that workload its own ingress peers or outbound allowances, without changing the rest of the project.
  • A datastore — controls exactly which workloads may connect to a managed datastore. Application-layer domain rules don't apply to datastores; only the IP, port, and peer rules that gate who can reach them.

A policy attached to the whole project already covers every workload in it, so you don't need to attach the same policy to individual containers as well.

Create and attach in the Console

  1. Open Resources → Networking → Network Policies and choose Add Network Policy.
  2. Give it a name and handle, then add the rules you need — peer projects, egress IP ranges, egress domains, and optional ports.
  3. Save the policy. It now exists at the organisation level but isn't applied yet.
  4. Attach it: from a project's network-policies panel to cover the whole project, or from a container or datastore to scope it to that one workload.

Detaching removes the rules from that workload; the policy itself stays in your inventory for reuse elsewhere.

Billing

  • A small per-policy base rate applies while the policy exists in your organisation.
  • A per-region rate applies while the policy is attached to a project.
  • Application-layer (L7) domain rules add a per-replica charge — roughly $4.50 to $7.00 per container replica per region, depending on the region — on the containers the policy applies to. Layer 3/4 rules (peers, IP ranges, ports) don't carry this charge. Datastores never incur the application-layer charge.

The Console shows the application-layer cost before you attach a policy that uses domain rules.

See also