This document explains how to use VPC Service Controls with Batch. VPC Service Controls allows you to protect the resources and data of Google Cloud services by isolating specific resources into service perimeters. A service perimeter blocks connections with Google Cloud services outside the perimeter and any connections from the internet that are not explicitly allowed.
- To configure a VPC Service Controls service perimeter to use Batch, see Configure a service perimeter for Batch in this document.
- If your project or network uses VPC Service Controls to restrict networking access for Batch, you must configure your Batch jobs to run in the required service perimeter. To learn how, see Create a job that runs in a service perimeter in this document.
For more information about networking concepts and when to configure networking, see Batch networking overview.
Before you begin
- If you haven't used Batch before, review Get started with Batch and enable Batch by completing the prerequisites for projects and users.
-
To get the permissions that you need to use VPC Service Controls with Batch, ask your administrator to grant you the following IAM roles:
-
To configure a service perimeter:
Access Context Manager Editor (
roles/accesscontextmanager.policyEditor
) on the project -
To create a job:
-
Batch Job Editor (
roles/batch.jobsEditor
) on the project -
Service Account User (
roles/iam.serviceAccountUser
) on the job's service account, which by default is the default Compute Engine service account
-
Batch Job Editor (
-
To identify the service perimeter for a project or network:
Access Context Manager Reader (
roles/accesscontextmanager.policyReader
) on the project -
To identify the network and subnet for a job:
Compute Network Viewer (
roles/compute.networkViewer
) on the project
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
-
To configure a service perimeter:
Access Context Manager Editor (
-
If you create a job that runs in a service perimeter, you need to identify the
network that you want to use for the job. The network you specify for a
job that runs in a service perimeter must meet the following requirements:
- The network is a Virtual Private Cloud (VPC) network that is in the same project as the job or is a Shared VPC network that is hosted by or shared with the project for the job.
- The network includes a subnetwork (subnet) in the location where you want to run the job.
- The network is in the required service perimeter and uses Private Google Access to allow access to the domains for the APIs and services that your job uses. For more information, see Configure a service perimeter for Batch in this document.
Configure a service perimeter for Batch
To configure a service perimeter for Batch, do the following:
Plan the configuration for your service perimeter. For an overview of the configuration stages for service perimeters, see VPC Service Controls documentation for Service perimeter details and configuration.
To use Batch, the service perimeter must meet the following requirements:
Restricted services: To secure Batch within a service perimeter, you must include the Google Cloud services that are required for your Batch jobs in that perimeter, such as the following services:
- Batch API (
batch.googleapis.com
) - Cloud Logging API (
logging.googleapis.com
): Required if you want your jobs to write logs into Cloud Logging. (Recommended) - Container Registry API (
containerregistry.googleapis.com
): Required if you submit a job that uses any containers with an image from Container Registry. - Artifact Registry API (
artifactregistry.googleapis.com
): Required if you submit a job that uses any containers with an image from Artifact Registry. - Filestore API (
file.googleapis.com
): Required if your job uses a Filestore file share. - Cloud Storage API (
storage.googleapis.com
): Required for some jobs that use a Cloud Storage bucket. Required if you use an image for your Batch job that does not have the Batch service agent pre-installed.
To learn how to enable each of these services in your service perimeter, see VPC accessible services.
For each service you include other than Batch, you also need to verify that your service perimeter meets the requirements listed for that service in the VPC Service Controls supported products and limitations documentation.
- Batch API (
VPC networks: Each Batch job requires a VPC network, so your service perimeter must include a VPC network that Batch jobs can run on. To learn how to configure a VPC network that can run your Batch jobs inside a service perimeter, see the following documents:
- For an overview of using VPC networks in a service perimeter, see VPC networks management in service perimeters.
- To learn how to use Private Google Access with VPC Service Controls to configure access to the Google Cloud services that are required for your Batch jobs, see Set up private connectivity to Google APIs and services.
- For more information about the networking requirements for Batch jobs, see Job networking overview.
Create a new service perimeter or update an existing service perimeter to meet these requirements.
Create a job that runs in a service perimeter
When you create a job that runs in a service perimeter, you must also block external access for all the VMs a job runs on and specify a network and subnet that allow the job to access required APIs.
To create a job that runs in a service perimeter, follow the steps in the documentation for Create a job that blocks external access for all VMs and specify a network that meets the network requirements for a job that runs in a service perimeter.
What's next
- If you have issues creating or running a job, see Troubleshooting.
- Learn more about networking.
- Learn more about creating a job.
- Learn how to view jobs and tasks.