To protect Google Cloud services in your projects and mitigate the risk of data exfiltration, you can specify VPC Service Controls service perimeters at an organization, folder, or project level. Applying a service perimeter provides you with fine-grained control over the ingress policy as well as which services and resources to protect.
For more information about the benefits of service perimeters, see Overview of VPC Service Controls.
Applying a CBA ingress policy to service perimeters
Applying CBA access levels to service perimeters allows you to grant access to perimeter-protected resources from only trusted devices. For more information about creating a CBA access level, see Create access levels for certificate-based access.
The following diagram illustrates a basic example of restricting access to Cloud Storage sensitive data from unknown devices by associating a CBA access level with a service perimeter:
To apply a CBA ingress policy to a service perimeter, complete the following steps:
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
On the Edit VPC Service Perimeter page, click Access Levels.
For the Choose Access Level, select the CBA access level.
Click Save.