This document describes how to restrict the set of Virtual Private Cloud (VPC)networks that can use Cloud Interconnect.

By default, any VPC network can use Cloud Interconnect.To control which VPC networks can use Cloud Interconnect,you can set an organization policy. For general information about organizationpolicies, seeIntroduction to the Organization Policy Service.

Using Cloud Interconnect to connect a VPC network toyour on-premises network requires aVLAN attachment.An organization policy for restricting Cloud Interconnectusage allows or denies the creation of VLAN attachments from specifiedVPC networks. You can set a policy that allows or denies thecreation of VLAN attachments from a specific VPC network or allVPC networks in a project, folder, or organization resource.

You can use the following constraints when defining your policy:

• constraints/compute.restrictDedicatedInterconnectUsage

  This constraint defines the set of VPC networks that you canuse when creating a VLAN attachment using Dedicated Interconnect.

• constraints/compute.restrictPartnerInterconnectUsage

  This constraint defines the set of VPC networks that you canuse when creating a VLAN attachment using Partner Interconnect.

When you set an organization policy, it only constrains the creation of VLANattachments in the future. The policy does not affect previously created VLANattachments.

If a user attempts to create a VLAN attachment that violates an organizationpolicy, they see an error message. The following is an example error messagefrom runninggcloud compute interconnects attachments partner create:

ERROR: (gcloud.compute.interconnects.attachments.partner.create) Could not fetch resource:- Constraint constraints/compute.restrictPartnerInterconnectUsage violated for projects/example-project.projects/example-project/global/networks/example-network is not allowed to use the Partner Interconnect.

This page includes example procedures for setting organization policiesto restrict Cloud Interconnect usage.

For more information, including general procedures for setting organizationpolicies, see the following:

• Understanding constraints
• Using constraints
• Creating and managing organization policies

Before you begin

To set organization policies, you must have theOrganization Policy Administrator role(roles/orgpolicy.policyAdmin).

Set a policy to deny a specific VPC network

To set a policy to deny a specific VPC network from usingCloud Interconnect, follow these steps:

1. Find your organization ID by entering the following command:

   gcloud organizations list

   The command output looks like the following example:

   DISPLAY NAME             IDexample-organization     29252605212

2. Create a JSON file that defines your policy. The following example JSONfile defines a policy that preventsnetwork-1 inproject-1 from usingDedicated Interconnect:

   {  "Constraint": "constraints/compute.restrictDedicatedInterconnectUsage",  "listPolicy": {    "deniedValues": [      "projects/project-1/global/networks/network-1"   ]  }}

3. Use thegcloud Resource Managerset-policy command to set the organizationpolicy:

   gcloud resource-manager org-policies set-policyJSON_FILE_NAME   --organization=ORGANIZATION_ID

   Replace the following:

   • JSON_FILE_NAME: the name of the JSON file that youcreated in the previous step, such aspolicy-name.json

   • ORGANIZATION_ID: the ID of the organization that youpreviously found

Set a policy to deny all VPC networks

To set a policy to deny all VPC networks from usingCloud Interconnect, follow these steps:

1. Find your organization ID by entering the following command:

   gcloud organizations list

   The command output looks like the following example:

   DISPLAY NAME             IDexample-organization     29252605212

2. Create a JSON file that defines your policy. The following example JSONfile defines a policy that prevents all VPC networks fromusing Dedicated Interconnect:

   {  "Constraint": "constraints/compute.restrictDedicatedInterconnectUsage",  "listPolicy": {    "allValues": "DENY"   }}

3. Use thegcloud Resource Managerset-policy command to set the organizationpolicy:

   gcloud resource-manager org-policies set-policyJSON_FILE_NAME   --organization=ORGANIZATION_ID

   Replace the following:

   • JSON_FILE_NAME: the name of the JSON file that youcreated in the previous step, such aspolicy-name.json

   • ORGANIZATION_ID: the ID of the organization that youpreviously found

Set a policy at the organization, folder, or project level

The previous sections describe how to deny a specific VPC networkor all VPC networks. You can also use the syntax described inList constraintsto allow or deny VPC networks at the organization, project, orfolder level.

What's next

• To learn more about Cloud Interconnect options, see theCloud Interconnect overview.

• To help you solve common issues that you might encounter when usingCloud Interconnect, seeTroubleshooting.