Stay organized with collections Save and categorize content based on your preferences.

See the supported connectors for Application Integration.

Set up VPC Service Controls for Application Integration

VPC Service Controls lets you define a security perimeter around the Application Integration Google Cloud service. With the security perimeter around your service, you can constrain data within a VPC and mitigate data exfiltration risks. If you are not already familiar with VPC Service Controls, it is recommended that you go through the following information:

This document describes how to set up a VPC Service Controls perimeter for the Application Integration service. After you have set up the perimeter, you can configure egress and ingress policies that determine what other Google Cloud services can access the Application Integration service and conversely what services the Application Integration service can access.

Before you begin

Ensure that you have the required permissions to configure service perimeters. To view a list of IAM roles required to configure VPC Service Controls, see Access control with IAM in the VPC Service Controls documentation.

Create a VPC service perimeter

To create a VPC service perimeter you can use either the Google Cloud console, or the gcloud command, or the accessPolicies.servicePerimeters.create API. For more information, see Create a service perimeter.

Example: Create a VPC service perimeter and configure an egress policy

This example shows you how to use the gcloud command to create a VPC service perimeter and configure an egress policy. The egress policy in this example restricts your integration to use resources only from a specific project.

To create a VPC service perimeter with an egress policy, perform the following steps:

  1. Set up a default policy.

    An access policy is an organization-wide container for access levels and service perimeters. For information about setting a default access policy or getting an access policy name, see Managing an access policy.

  2. Create a new egress policy file by name vpcsc-egress.yaml with the following egress rule:
    - egressTo:
        operations:
        # service for which the egress policy should be applied
        - serviceName: integrations.googleapis.com
          methodSelectors:
          # methods in the service for which the egress policy should be applied
          # * denotes all the methods
          - method: "*"
        resources:
          # resources which the service methods can access
          - projects/test-vpcsc-egress-project
      egressFrom:
        # identities which can call the service methods
        identityType: ANY_IDENTITY
    

    The sample egress rule allows all the methods of the integrations.googleapis.com service to access resources only in the test-vpcsc-egress-project which is outside of the perimeter. To learn more about specifying the egress rules, see Egress rules reference.

  3. Create a new VPC service perimeter with the egress file.

    The following command creates a VPC service perimeter by name integrationPerimeter:

    gcloud access-context-manager perimeters create integrationPerimeter \
        --title="Integration Perimeter" \
        --resources=projects/12345 \
        --restricted-services=integrations.googleapis.com \
        --egress-policies=vpcsc-egress.yaml
    

    This command creates a new perimeter named integrationPerimeter that includes the project with project number 12345, restricts the integrations.googleapis.com API, and adds an egress policy defined in the vpcsc-egress.yaml file.

Add egress policy to an existing service perimeter

To add an egress policy to an existing service perimeter, use the gcloud access-context-manager perimeters update command. For example, the following command adds an egress policy defined in the vpcsc-egress.yaml file to an existing service perimeter named integrationPerimeter:

gcloud access-context-manager perimeters update integrationPerimeter
    --set-egress-policies=vpcsc-egress.yaml

Similar to an egress policy, you can also define an ingress policy. To learn more about specifying ingress rules, see Ingress rules reference.

Verify your perimeter

To verify the perimeter, use the gcloud access-context-manager perimeters describe PERIMETER_NAME command. For example, the following command describes the integrationPerimeter perimeter:

gcloud access-context-manager perimeters describe integrationPerimeter

For more information about managing service perimeters, see Managing service perimeters.

Condiderations

If you have enabled VPC service perimeter for the Application Integration service, you will not be able to use the following tasks in your integrations:

What's next

Learn how VPC Service Controls protects your data.