VPC Service Controls lets you define a security perimeter around the Apigee Integration Google Cloud service. With the security perimeter around your service, you can constrain data within a VPC and mitigate data exfiltration risks. If you are not already familiar with VPC Service Controls, it is recommended that you go through the following information:
- Overview of VPC Service Controls
- Service perimeter details and configuration
- Grant access to VPC Service Controls
This document describes how to set up a VPC Service Controls perimeter for the Apigee Integration service. After you have set up the perimeter, you can configure egress and ingress policies that determine what other Google Cloud services can access the Apigee Integration service (integrations.googleapis.com) and conversely what services the Apigee Integration service can access.
Before you begin
Ensure that you have the required permissions to configure service perimeters. To view a list of IAM roles required to configure VPC Service Controls, see Access control with IAM in the VPC Service Controls documentation.
Create a VPC service perimeter
To create a VPC service perimeter you can use either the Google Cloud console,
or the gcloud command, or the accessPolicies.servicePerimeters.create API.
For more information, see Create a service perimeter.
To create a VPC Service Controls perimeter provide access to the user by using the gcloud commands, run the following command:
gcloud access-context-manager perimeters create \
--title=PERIMETER_TITLE \
--resources=projects/PROJECT_ID \
--restricted-services=integrations.googleapis.com \
Replace the following:
PERIMETER_TITLE: the name of the VPC Service Controls perimeterPROJECT_ID: the project for which you want to add the VPC Service Controls perimeter
The preceding command takes some time to complete. The VPC Service Controls perimeter restricts integration services for your project when using the Apigee Integration services.
To allow any IP addresses, service accounts, or users to use Apigee Integration, use the ingress and egress rules. VPC Service Controls uses ingress and egress rules to allow access to and from the resources and clients protected by service perimeters.
Add egress policy to an existing service perimeter
To add an egress policy to an existing service perimeter,
use the gcloud access-context-manager
perimeters update command. For example, the following command adds an egress policy defined
in the vpcsc-egress.yaml file to an existing service perimeter named integrationPerimeter:
gcloud access-context-manager perimeters update integrationPerimeter
--set-egress-policies=vpcsc-egress.yaml
Similar to an egress policy, you can also define an ingress policy. To learn more about specifying ingress rules, see Ingress rules reference.
Verify your perimeter
To verify the perimeter, use the gcloud access-context-manager perimeters describe PERIMETER_NAME
command. For example, the following command describes the integrationPerimeter perimeter:
gcloud access-context-manager perimeters describe integrationPerimeter
For more information about managing service perimeters, see Managing service perimeters.
Condiderations
If you have enabled VPC service perimeter for the Apigee Integration service, you will not be able to use the following tasks in your integrations: