See the supported connectors for Application Integration.

Set up VPC Service Controls for Application Integration

VPC Service Controls lets you define a security perimeter around the Application Integration Google Cloud service. With the security perimeter around your service, you can constrain data within a VPC and mitigate data exfiltration risks. If you are not already familiar with VPC Service Controls, it is recommended that you go through the following information:

• Overview of VPC Service Controls
• Service perimeter details and configuration
• Grant access to VPC Service Controls

This document describes how to set up a VPC Service Controls perimeter for the Application Integration service. After you have set up the perimeter, you can configure egress and ingress policies that determine what other Google Cloud services can access the Application Integration service (integrations.googleapis.com) and conversely what services the Application Integration service can access.

Before you begin

Ensure that you have the required permissions to configure service perimeters. To view a list of IAM roles required to configure VPC Service Controls, see Access control with IAM in the VPC Service Controls documentation.

Create a VPC service perimeter

To create a VPC service perimeter you can use either the Google Cloud console, or the gcloud command, or the accessPolicies.servicePerimeters.create API. For more information, see Create a service perimeter.

Example: Create a VPC service perimeter and configure an egress policy

This example shows you how to use the gcloud command to create a VPC service perimeter and configure an egress policy. The egress policy in this example restricts your integration to use resources only from a specific project.

To create a VPC service perimeter with an egress policy, perform the following steps:

1. Set up a default access policy.

   An access policy is an organization-wide container for access levels and service perimeters. For information about setting a default access policy or getting an access policy name, see Managing an access policy.

2. Create a new egress policy file by name vpcsc-egress.yaml with the following egress rule:

   - egressTo:
       operations:
       # service for which the egress policy should be applied
       - serviceName: integrations.googleapis.com
         methodSelectors:
         # methods in the service for which the egress policy should be applied
         # * denotes all the methods
         - method: "*"
       resources:
         # resources which the service methods can access
         - projects/test-vpcsc-egress-project
     egressFrom:
       # identities which can call the service methods
       identityType: ANY_IDENTITY
   

   The sample egress rule allows all the methods of the integrations.googleapis.com service to access resources only in the test-vpcsc-egress-project which is outside of the perimeter. To learn more about specifying the egress rules, see Egress rules reference.

3. Create a new VPC service perimeter with the egress file.

   The following command creates a VPC service perimeter by name integrationPerimeter:

   gcloud access-context-manager perimeters create integrationPerimeter \
       --title="Integration Perimeter" \
       --resources=projects/12345 \
       --restricted-services=integrations.googleapis.com \
       --egress-policies=vpcsc-egress.yaml
   

   This command creates a new perimeter named integrationPerimeter that includes the project with project number 12345, restricts the integrations.googleapis.com API, and adds an egress policy defined in the vpcsc-egress.yaml file.

Add egress policy to an existing service perimeter

To add an egress policy to an existing service perimeter, use the gcloud access-context-manager perimeters update command. For example, the following command adds an egress policy defined in the vpcsc-egress.yaml file to an existing service perimeter named integrationPerimeter:

gcloud access-context-manager perimeters update integrationPerimeter
    --set-egress-policies=vpcsc-egress.yaml

Similar to an egress policy, you can also define an ingress policy. To learn more about specifying ingress rules, see Ingress rules reference.

Verify your perimeter

To verify the perimeter, use the gcloud access-context-manager perimeters describe PERIMETER_NAME command. For example, the following command describes the integrationPerimeter perimeter:

gcloud access-context-manager perimeters describe integrationPerimeter

For more information about managing service perimeters, see Managing service perimeters.

Condiderations

If you have enabled VPC service perimeter for the Application Integration service, you will not be able to use the following tasks in your integrations:

• Apps Script task
• Call REST Endpoint

What's next

Learn how VPC Service Controls protects your data.