Configure VPC Service Controls for Assured Workloads

Overview

Assured Workloads helps you comply with different regulatory compliance frameworks by implementing logical controls that segment networks and users from in-scope sensitive data. Many of the US compliance frameworks are built upon NIST SP 800-53 Rev. 5, but have their own particular controls based on the sensitivity of the information and the framework's governing body. For customers who must comply with FedRAMP High or DoD IL4, we recommend that you use VPC Service Controls to create a strong boundary around the regulated environment.

VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). While Identity and Access Management enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, such as controlling data ingress and egress across the perimeter. The controls VPC Service Controls are a logical boundary around Google Cloud APIs that are managed at the organization level and applied and enforced at the project level. For a high-level overview of VPC Service Controls benefits and configuration stages, please see the VPC Service Controls overview. For more information about the regulatory guidance, see Control ID SC-7.

Before you begin

Configure VPC Service Controls for Assured Workloads

To configure VPC Service Controls, you can use the Google Cloud console, the Google Cloud CLI (gcloud CLI), or the Access Context Manager APIs. The following steps show you how to use the Google Cloud console.

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your organization, folder, or project.

  3. On the VPC Service Controls page, select the Dry run mode. While you can create in either a Dry run mode or an Enforced mode, we recommend using the Dry run mode first for either a new or updated service perimeter. Dry run mode will also allow you to create a test run of your new service perimeter to see how it performs before you choose to enforce it within your environment.

  4. Click New perimeter.

  5. On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.

  6. In the Details tab, select the desired perimeter type and configuration type.

  7. In the Projects tab, select the projects that you want to include within the service perimeter boundary. For your IL4 workloads, these should be the projects that are within your Assured Workloads IL4 folder.

  8. In the Restricted Services tab, add services to include within the service perimeter boundary. You should only select services that are in scope for your Assured Workloads folder.

  9. (Optional) In the VPC Accessible Services tab, you can further restrict services within your service perimeter from communicating with each other. Assured Workloads will implement Service Usage Restrictions as a guardrail to ensure that services scoped to Assured Workloads can be deployed within your Assured Workloads folder. If you have overridden these controls, then you may need to implement VPC Accessible Services to restrict non-Assured Workloads services from communicating with your workloads.

  10. Click Ingress Policy to set one or more rules that specify the direction of allowed access from different identities and resources. Access levels only apply to requests for protected resources coming from outside the service perimeter. Access levels cannot be used to permit protected resources or VMs to access data and services outside the perimeter. You can to assign an identity different service methods to specific services in order to transfer regulated data into your workload's service perimeter.

  11. (Optional) Click Egress Policy to set one or more rules that specify the direction of allowed access to different identities and resources. Access levels only apply to requests from protected resources to services outside the service perimeter.

  12. Click Save.

Use VPC Service Controls with Terraform

You can use the Terraform to synchronize your Assured Workloads folder with a VPC Service Controls permit if you want your Assured Workloads regulated boundary to be aligned with your VPC Service Controls boundary. For more information, see the Automatically Secured Folder Terraform example on GitHub.

What's next