Block external access for a job

This document explains how to configure a Batch job to block external access for all of its VMs or specific containers.

Block external access for a job to meet networking requirements or improve security. You must block external access for a job's VMs by using VMs without external IP addresses if any of the following are true:

Your project is restricted by the compute.vmExternalIpAccess organization policy constraint.
The network you specify for the job uses Private Google Access to configure private connectivity to Google APIs and services. Private Google Access has no effect on VMs that have external IP addresses.

If the network you specify for the job uses Private Google Access with VPC Service Controls for Batch, see Use VPC Service Controls and Batch.

Alternatively, if you do not want to block all direct external access for a job, you can block external access for any containers that a job runs.

For more information about networking concepts and when to configure networking, see Batch networking overview.

Before you begin

If you haven't used Batch before, review Get started with Batch and enable Batch by completing the prerequisites for projects and users.
To get the permissions that you need to create a job that blocks external access, ask your administrator to grant you the following IAM roles:
- Batch Job Editor (roles/batch.jobsEditor) on the project
- Service Account User (roles/iam.serviceAccountUser) on the job's service account, which by default is the default Compute Engine service account
- To identify the network and subnet for a job: Compute Network Viewer (roles/compute.networkViewer) on the project
For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.
If you block external access for a job's VMs, you need to identify the network that you want to use for the job. The network you specify for a job that blocks external access for its VMs must meet the following requirements:
- The network is a Virtual Private Cloud (VPC) network that is in the same project as the job or is a Shared VPC network that is hosted by or shared with the project for the job.
- The network includes a subnetwork (subnet) in the location where you want to run the job.
- The network allows any access required for your job. If you block external access for a job's VMs, the network must use Cloud NAT or Private Google Access to allow access to the domains for the APIs and services that your job uses. For example, all jobs use the Batch and Compute Engine APIs and very often use the Cloud Logging API.
For more information, see Create and manage VPC networks.

Create a job that blocks external access for all VMs

Block external access for a job's VMs when you are creating the job. When you block external access for all the VMs a job runs on, you also need to specify a network and subnet that allow the job to access required APIs.

If you want to use a VM instance template while creating this job, you must specify the network and disable external IP addresses in the VM instance template. Otherwise, use the following steps to block external access for a job's VMs by using the gcloud CLI or Batch API.

gcloud

To create a job that blocks external access using the gcloud CLI, select one of the following options:

Use gcloud flags to block external access for all VMs
Use JSON fields to block external access for all VMs

Use gcloud flags to block external access for all VMs

To create a job and use gcloud flags to block external access for the job, complete the following steps:

Create a JSON file that specifies your job's configuration details.

For example, to create a basic script job, create a JSON file with the following contents.

{
  "taskGroups": [
    {
      "taskSpec": {
        "runnables": [
          {
            "script": {
              "text": "echo Hello world! This is task ${BATCH_TASK_INDEX}. This job has a total of ${BATCH_TASK_COUNT} tasks."
            }
          }
        ]
      },
      "taskCount": 3
    }
  ],
  "logsPolicy": {
    "destination": "CLOUD_LOGGING"
  }
}

Create the job by using the gcloud batch jobs submit command. To block external access for all VMs, include the --no-external-ip-address, --network, and --subnetwork flags.
```
gcloud batch jobs submit JOB_NAME \
    --location LOCATION \
    --config JSON_CONFIGURATION_FILE \
    --no-external-ip-address \
    --network projects/HOST_PROJECT_ID/global/networks/NETWORK \
    --subnetwork projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET
```
Replace the following:
- JOB_NAME: the name for this job.
- LOCATION: the location for this job.
- JSON_CONFIGURATION_FILE: the path for the JSON file with the job's configuration details.
- HOST_PROJECT_ID: the project ID of the project for the network you specify:
  - If you are using a Shared VPC network, specify the host project.
  - Otherwise, specify the current project.
- NETWORK: the name of a VPC network in the current project or a Shared VPC network that is hosted by or shared with the current project.
- REGION: the region where the subnet and the VMs for the job are located:
  - If you include the allowedLocations field to specify the allowed location for the VMs for the job, you must specify the same region here.
  - Otherwise, the region must be the same as the location you select for the job (LOCATION).
- SUBNET: the name of a subnet that is part of the VPC network and is located in the same region as the VMs for the job.

Use JSON fields to block external access for all VMs

To create a job and use fields in the JSON configuration file to block external access for all VMs, complete the following steps:

Create a JSON file that specifies your job's configuration details. To block external access for all VMs, do the following:
- Set the noExternalIpAddress field to true.
- Specify the network for the job in the network and subnetwork fields.
For example, to create a basic script job that block external access for all VMs, create a JSON file with the following contents.
```
{
  "taskGroups": [
    {
      "taskSpec": {
        "runnables": [
          {
            "script": {
              "text": "echo Hello world! This is task ${BATCH_TASK_INDEX}. This job has a total of ${BATCH_TASK_COUNT} tasks."
            }
          }
        ]
      },
      "taskCount": 3
    }
  ],
  "allocationPolicy": {
    "network": {
      "networkInterfaces": [
        {
          "network": "projects/HOST_PROJECT_ID/global/networks/NETWORK",
          "subnetwork": "projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET",
          "noExternalIpAddress": true
        }
      ]
    }
  },
  "logsPolicy": {
    "destination": "CLOUD_LOGGING"
  }
}
```
Replace the following:
- HOST_PROJECT_ID: the project ID of the project for the network you specify:
  - If you are using a Shared VPC network, specify the host project.
  - Otherwise, specify the current project.
- NETWORK: the name of a network that provides the access required for this job. The network must be either a VPC network in current project or a Shared VPC network that is hosted by or shared with the current project.
- REGION: the region where the subnet and the VMs for the job are located:
  - If you include the allowedLocations field to specify the allowed location for the VMs for the job, you must specify the same region here.
  - Otherwise, the region must be the same as the location you select for the job (LOCATION).
- SUBNET: the name of a subnet that is part of the VPC network and is located in the same region as the VMs for the job.
Create the job by using the gcloud batch jobs submit command.
```
gcloud batch jobs submit JOB_NAME \
    --location LOCATION \
    --config JSON_CONFIGURATION_FILE
```
Replace the following:
- JOB_NAME: the name you want for this job.
- LOCATION: the location you want for this job.
- JSON_CONFIGURATION_FILE: the path for the JSON file with the job's configuration details.

API

To create a job using the Batch API, use the jobs.create method and specify your job's configuration details. To block external access for all VMs, do the following:

Set the noExternalIpAddress field to true.
Specify the network for the job in the network and subnetwork fields.

For example, to create a basic script job that block external access for all VMs, make the following POST request:

POST https://batch.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/jobs?job_id=JOB_NAME

{
  "taskGroups": [
    {
      "taskSpec": {
        "runnables": [
          {
            "script": {
              "text": "echo Hello world! This is task ${BATCH_TASK_INDEX}. This job has a total of ${BATCH_TASK_COUNT} tasks."
            }
          }
        ]
      },
      "taskCount": 3
    }
  ],
  "allocationPolicy": {
    "network": {
      "networkInterfaces": [
        {
          "network": "projects/HOST_PROJECT_ID/global/networks/NETWORK",
          "subnetwork": "projects/HOST_PROJECT_ID/regions/REGION/subnetworks/SUBNET",
          "noExternalIpAddress": true
        }
      ]
    }
  },
  "logsPolicy": {
    "destination": "CLOUD_LOGGING"
  }
}

Replace the following:

PROJECT_ID: the project ID of your project.
LOCATION: the location you want for this job.
JOB_NAME: the name you want for this job.
HOST_PROJECT_ID: the project ID of the project for the network you specify:
- If you are using a Shared VPC network, specify the host project.
- Otherwise, specify the current project (PROJECT_ID).
NETWORK: the name of a network that provides the access required for this job. The network must be either a VPC network in current project or a Shared VPC network that is hosted by or shared with the current project.
REGION: the region where the subnet and the VMs for the job are located:
- If you include the allowedLocations field to specify the allowed location for the VMs for the job, you must specify the same region here.
- Otherwise, the region must be the same as the location you select for the job (LOCATION).
SUBNET: the name of a subnet that is part of the VPC network and is located in the same region as the VMs for the job.

Create a job that blocks external access for one or more containers

Block external access for any of a job's containers when you are creating the job.

You can block external access for any of job's containers by using the gcloud CLI or Batch API.

gcloud

To create a job that blocks external access for one or more containers using the gcloud CLI, complete the following steps:

Create a JSON file that specifies your job's configuration details. For each container in the job that you want to restrict, set the blockExternalNetwork field to true.

For example, to create a basic container job that blocks external access for the container, create a JSON file with the following contents.

{
  "taskGroups": [
    {
      "taskSpec": {
        "runnables": [
          {
            "container": {
              "imageUri": "gcr.io/google-containers/busybox",
              "entrypoint": "/bin/sh",
              "commands": [
                "-c",
                "echo Hello world! This is task ${BATCH_TASK_INDEX}. This job has a total of ${BATCH_TASK_COUNT} tasks."
              ],
              "blockExternalNetwork": true
            }
          }
        ]
      },
      "taskCount": 4,
      "parallelism": 2
    }
  ],
  "logsPolicy": {
    "destination": "CLOUD_LOGGING"
  }
}

Create the job by using the gcloud batch jobs submit command.
```
gcloud batch jobs submit JOB_NAME \
    --location LOCATION \
    --config JSON_CONFIGURATION_FILE
```
Replace the following:
- JOB_NAME: the name you want for this job.
- LOCATION: the location you want for this job.
- JSON_CONFIGURATION_FILE: the path for the JSON file with the job's configuration details.

API

To create a job using the Batch API, use the jobs.create method and specify your job's configuration details. For each container in the job that you want to restrict, set the blockExternalNetwork field to true.

For example, to create a basic container job that blocks external access for the container, make the following POST request:

POST https://batch.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/jobs?job_id=JOB_NAME

{
  "taskGroups": [
    {
      "taskSpec": {
        "runnables": [
          {
            "container": {
              "imageUri": "gcr.io/google-containers/busybox",
              "entrypoint": "/bin/sh",
              "commands": [
                "-c",
                "echo Hello world! This is task ${BATCH_TASK_INDEX}. This job has a total of ${BATCH_TASK_COUNT} tasks."
              ],
              "blockExternalNetwork": true
            }
          }
        ]
      },
      "taskCount": 4,
      "parallelism": 2
    }
  ],
  "logsPolicy": {
    "destination": "CLOUD_LOGGING"
  }
}

Replace the following:

PROJECT_ID: the project ID of your project.
LOCATION: the location you want for this job.
JOB_NAME: the name you want for this job.

What's next

If you have issues creating or running a job, see Troubleshooting.
Learn more about networking.
Learn more about creating a job.
Learn how to view jobs and tasks.