Use VPC Service Controls with Batch

This document explains how to use VPC Service Controls with Batch. VPC Service Controls allows you to protect the resources and data of Google Cloud services by isolating specific resources into service perimeters. A service perimeter blocks connections with Google Cloud services outside the perimeter and any connections from the internet that are not explicitly allowed.

For more information about networking concepts and when to configure networking, see Batch networking overview.

Before you begin

  1. If you haven't used Batch before, review Get started with Batch and enable Batch by completing the prerequisites for projects and users.
  2. To get the permissions that you need to use VPC Service Controls with Batch, ask your administrator to grant you the following IAM roles:

    For more information about granting roles, see Manage access to projects, folders, and organizations.

    You might also be able to get the required permissions through custom roles or other predefined roles.

  3. If you create a job that runs in a service perimeter, you need to identify the network that you want to use for the job. The network you specify for a job that runs in a service perimeter must meet the following requirements: For more information, see Create and manage VPC networks.

Configure a service perimeter for Batch

To configure a service perimeter for Batch, do the following:

  1. Plan the configuration for your service perimeter. For an overview of the configuration stages for service perimeters, see VPC Service Controls documentation for Service perimeter details and configuration.

    To use Batch, the service perimeter must meet the following requirements:

    • Restricted services: To secure Batch within a service perimeter, you must include the Google Cloud services that are required for your Batch jobs in that perimeter, such as the following services:

      • Batch API (batch.googleapis.com)
      • Cloud Logging API (logging.googleapis.com): Required if you want your jobs to write logs into Cloud Logging. (Recommended)
      • Container Registry API (containerregistry.googleapis.com): Required if you submit a job that uses any containers with an image from Container Registry.
      • Artifact Registry API (artifactregistry.googleapis.com): Required if you submit a job that uses any containers with an image from Artifact Registry.
      • Filestore API (file.googleapis.com): Required if your job uses a Filestore file share.
      • Cloud Storage API (storage.googleapis.com): Required for some jobs that use a Cloud Storage bucket. Required if you use an image for your Batch job that does not have the Batch service agent pre-installed.

      To learn how to enable each of these services in your service perimeter, see VPC accessible services.

      For each service you include other than Batch, you also need to verify that your service perimeter meets the requirements listed for that service in the VPC Service Controls supported products and limitations documentation.

    • VPC networks: Each Batch job requires a VPC network, so your service perimeter must include a VPC network that Batch jobs can run on. To learn how to configure a VPC network that can run your Batch jobs inside a service perimeter, see the following documents:

  2. Create a new service perimeter or update an existing service perimeter to meet these requirements.

Create a job that runs in a service perimeter

When you create a job that runs in a service perimeter, you must also block external access for all the VMs a job runs on and specify a network and subnet that allow the job to access required APIs.

To create a job that runs in a service perimeter, follow the steps in the documentation for Create a job that blocks external access for all VMs and specify a network that meets the network requirements for a job that runs in a service perimeter.

What's next