Configure VPC Service Controls

This page provides an overview of VPC Service Controls, a Google Cloud feature that integrates with AlloyDB to secure data and resources.

VPC Service Controls helps mitigate the risk of data exfiltration from AlloyDB instances. You can use VPC Service Controls to create service perimeters that protect the resources and data of services that you explicitly specify.

For a general overview of VPC Service Controls, its security benefits, and its capabilities across Google Cloud products, see Overview of VPC Service Controls.

Before you begin

In the Google Cloud console, go to the Project Selector page.

Go to project selector
Select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.
Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
Enable the Compute Engine API.
Enable the Compute Engine API
Enable the Service Networking API.
Enable the Service Networking API
Add the Identity and Access Management (IAM) roles to the user or service account you are using to set up and administer VPC Service Controls. For more information, see IAM Roles for Administering VPC Service Controls.
Review limitations when using VPC Service Controls with AlloyDB.

How to secure AlloyDB service using VPC Service Controls

Before you begin, review Overview of VPC Service Controls and AlloyDB limitations when using VPC Service Controls.

Configuring VPC Service Controls for an AlloyDB project includes the following steps:

Create and manage a service perimeter.

First, you select the AlloyDB project that you want the VPC service perimeter to protect, and then you create and manage the service perimeter.
Create and manage access levels.

Optionally, to permit external access to protected resources inside a perimeter, you can use access levels. Access levels apply only to requests for protected resources coming from outside the service perimeter. You can't use access levels to give protected resources or VMs permission to access data and services outside the perimeter.

Create and manage a service perimeter

To create and manage a service perimeter, complete the following steps:

Select the AlloyDB project that you want the VPC service perimeter to protect.
Create a service perimeter by following the instructions in Creating a service perimeter.
Add more instances to the service perimeter. To add existing AlloyDB instances to the perimeter, follow the instructions in Updating a service perimeter.
Add APIs to the service perimeter. To mitigate the risk of your data being exfiltrated from AlloyDB, you must restrict AlloyDB API, Compute Engine API, Cloud Storage API, Container Registry API, Certificate Authority Service API, and Cloud KMS API. For more information, see access-context-manager perimeters update.

To add APIs as restricted services:
Console
1. In the Google Cloud console, go to the VPC Service Controls page.
  Go to VPC Service Controls
2. In the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
3. Click Edit.
4. In the Edit VPC Service Perimeter page, click Add Services.
5. Add AlloyDB API, Compute Engine API, Cloud Storage API, Container Registry API, Certificate Authority Service API, and Cloud KMS API.
6. Click Save.
gcloud
```
gcloud access-context-manager perimeters update PERIMETER_ID \
--policy=POLICY_ID \
--add-restricted-services=alloydb.googleapis.com,compute.googleapis.com,storage.googleapis.com,
  containerregistry.googleapis.com,privateca.googleapis.com,cloudkms.googleapis.com
```
- PERIMETER_ID: The ID of the perimeter or the fully qualified identifier for the perimeter.
- POLICY_ID: The ID of the access policy.
If you enabled enhanced query insights, add the databaseinsights.googleapis.com API to the service perimeter as a restricted service:
Console
1. In the Google Cloud console, go to the VPC Service Controls page.
  Go to VPC Service Controls
2. In the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
3. Click Edit.
4. In the Edit VPC Service Perimeter page, click Add Services.
5. Add databaseinsights.googleapis.com.
6. Click Save.
gcloud
```
gcloud access-context-manager perimeters update PERIMETER_ID \
--policy=POLICY_ID \
--add-restricted-services=databaseinsights.googleapis.com
```
- PERIMETER_ID: The ID of the perimeter or the fully qualified identifier for the perimeter.
- POLICY_ID: The ID of the access policy.

Create and manage access levels

To create and manage access levels, follow the instructions in Allowing access to protected resources from outside a perimeter.