Sample Neutron VPNaaS Policy File¶

The following is a sample neutron-vpnaas policy file for adaptation and use.

The sample policy can also be viewed in file form.

Important

The sample policy file is auto-generated from neutron-vpnaas when this documentation is built. You must ensure your version of neutron-vpnaas matches the version of this documentation.

# Create a VPN endpoint group
# POST  /vpn/endpoint-groups
# Intended scope(s): project
#"create_endpoint_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_endpoint_group":"rule:regular_user" has been deprecated
# since 2025.2 in favor of "create_endpoint_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for endpoint
# groups.

# Update a VPN endpoint group
# PUT  /vpn/endpoint-groups/{id}
# Intended scope(s): project
#"update_endpoint_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_endpoint_group":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "update_endpoint_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for endpoint
# groups.

# Delete a VPN endpoint group
# DELETE  /vpn/endpoint-groups/{id}
# Intended scope(s): project
#"delete_endpoint_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_endpoint_group":"rule:admin_or_owner" has been deprecated
# since 2025.2 in favor of "delete_endpoint_group":"(rule:admin_only)
# or (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for endpoint
# groups.

# Get VPN endpoint groups
# GET  /vpn/endpoint-groups
# GET  /vpn/endpoint-groups/{id}
# Intended scope(s): project
#"get_endpoint_group": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "get_endpoint_group":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_endpoint_group":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for endpoint
# groups.

# Create an IKE policy
# POST  /vpn/ikepolicies
# Intended scope(s): project
#"create_ikepolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_ikepolicy":"rule:regular_user" has been deprecated since
# 2025.2 in favor of "create_ikepolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ike
# policies.

# Update an IKE policy
# PUT  /vpn/ikepolicies/{id}
# Intended scope(s): project
#"update_ikepolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_ikepolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "update_ikepolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ike
# policies.

# Delete an IKE policy
# DELETE  /vpn/ikepolicies/{id}
# Intended scope(s): project
#"delete_ikepolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_ikepolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "delete_ikepolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ike
# policies.

# Get IKE policyies
# GET  /vpn/ikepolicies
# GET  /vpn/ikepolicies/{id}
# Intended scope(s): project
#"get_ikepolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "get_ikepolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_ikepolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ike
# policies.

# Create an IPsec policy
# POST  /vpn/ipsecpolicies
# Intended scope(s): project
#"create_ipsecpolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_ipsecpolicy":"rule:regular_user" has been deprecated since
# 2025.2 in favor of "create_ipsecpolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec
# policies.

# Update an IPsec policy
# PUT  /vpn/ipsecpolicies/{id}
# Intended scope(s): project
#"update_ipsecpolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_ipsecpolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "update_ipsecpolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec
# policies.

# Delete an IPsec policy
# DELETE  /vpn/ipsecpolicies/{id}
# Intended scope(s): project
#"delete_ipsecpolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_ipsecpolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "delete_ipsecpolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec
# policies.

# Get IPsec policies
# GET  /vpn/ipsecpolicies
# GET  /vpn/ipsecpolicies/{id}
# Intended scope(s): project
#"get_ipsecpolicy": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "get_ipsecpolicy":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_ipsecpolicy":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec
# policies.

# Create an IPsec site connection
# POST  /vpn/ipsec-site-connections
# Intended scope(s): project
#"create_ipsec_site_connection": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_ipsec_site_connection":"rule:regular_user" has been
# deprecated since 2025.2 in favor of
# "create_ipsec_site_connection":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec site
# connections.

# Update an IPsec site connection
# PUT  /vpn/ipsec-site-connections/{id}
# Intended scope(s): project
#"update_ipsec_site_connection": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_ipsec_site_connection":"rule:admin_or_owner" has been
# deprecated since 2025.2 in favor of
# "update_ipsec_site_connection":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec site
# connections.

# Delete an IPsec site connection
# DELETE  /vpn/ipsec-site-connections/{id}
# Intended scope(s): project
#"delete_ipsec_site_connection": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_ipsec_site_connection":"rule:admin_or_owner" has been
# deprecated since 2025.2 in favor of
# "delete_ipsec_site_connection":"(rule:admin_only) or (role:member
# and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec site
# connections.

# Get IPsec site connections
# GET  /vpn/ipsec-site-connections
# GET  /vpn/ipsec-site-connections/{id}
# Intended scope(s): project
#"get_ipsec_site_connection": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "get_ipsec_site_connection":"rule:admin_or_owner" has been
# deprecated since 2025.2 in favor of
# "get_ipsec_site_connection":"(rule:admin_only) or (role:member and
# project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for ipsec site
# connections.

# Create a VPN service
# POST  /vpn/vpnservices
# Intended scope(s): project
#"create_vpnservice": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "create_vpnservice":"rule:regular_user" has been deprecated since
# 2025.2 in favor of "create_vpnservice":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for VPN
# services.

# Update a VPN service
# PUT  /vpn/vpnservices/{id}
# Intended scope(s): project
#"update_vpnservice": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "update_vpnservice":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "update_vpnservice":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for VPN
# services.

# Delete a VPN service
# DELETE  /vpn/vpnservices/{id}
# Intended scope(s): project
#"delete_vpnservice": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "delete_vpnservice":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "delete_vpnservice":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for VPN
# services.

# Get VPN services
# GET  /vpn/vpnservices
# GET  /vpn/vpnservices/{id}
# Intended scope(s): project
#"get_vpnservice": "(rule:admin_only) or (role:member and project_id:%(project_id)s)"

# DEPRECATED
# "get_vpnservice":"rule:admin_or_owner" has been deprecated since
# 2025.2 in favor of "get_vpnservice":"(rule:admin_only) or
# (role:member and project_id:%(project_id)s)".
# The VPaaS API now supports Secure RBAC default roles for VPN
# services.

Sample Neutron VPNaaS Policy File

Sample Neutron VPNaaS Policy File¶

Neutron VPNaaS 26.1.0.dev10