Using a combination of Shared Virtual Private Cloud (VPC) networks, organization policy constraints, and firewall rules, you can set up a security perimeter that ensures your Confidential VM instances can only interact with other Confidential VM instances. This security perimeter can be established around Confidential VM instances that reside inside the same project or in separate projects.
Before you begin
To create a security perimeter, you need the following administrative roles:
- Organization
Admin (
resourcemanager.organizationAdmin) - Shared VPC Admin (
compute.xpnAdminandresourcemanager.projectIamAdmin) - Service Project Admin (
compute.networkUser)
To learn more about these roles, see Required administrative roles in the Shared VPC overview.
Create a Confidential VM perimeter
To create a security perimeter around your Confidential VM instances, do the following:
- Create a folder under the
organization called
confidential-perimeterthat defines your Confidential VM perimeter. - Inside the folder, create a shared VPC host project that defines the perimeter for Confidential Computing.
Once you've created a VPC host project, share the project by granting your networking team access.
Enforce the perimeter
To prevent service projects from allowing non-Confidential VM instances
from interacting with the perimeter,
apply the
following organization policy
constraints
to your confidential-perimeter folder as indicated:
| Constraint | Set to | Description |
|---|---|---|
constraints/compute.restrictNonConfidentialComputing |
deny compute.googleapis.com |
This forces all service projects to create Confidential VM instances only. |
constraints/compute.restrictSharedVpcHostProjects |
under: FOLDER_ID |
This prevents projects inside the perimeter from creating another Shared
VPC host project. Replace FOLDER_ID with the
actual
[identifier](/resource-manager/docs/creating-managing-folders#viewing_or_listing_folders_and_projects)
of your confidential-perimeter folder. |
constraints/compute.restrictVpcPeering |
is: [] |
This prevents service projects from peering network and network connections outside of the perimeter. |
constraints/compute.vmExternalIpAccess |
is: [] |
This forces all Confidential VM instances in service projects to use internal IPs. |
constraints/compute.restrictLoadBalancerCreationForTypes |
allowedValues: ["INTERNAL_TCP_UDP", "INTERNAL_HTTP_HTTPS",] |
This prevents all VM instances from defining an Internet-visible ingress point. You may override this for specific projects in your perimeter that should have ingress—for example, your DMZ. |
To control the allowed network egress outside of the perimeter, use VPC firewall rules.
What's next
You can use VPC Service Controls to extend the security perimeter to cover Google Cloud resources. To learn more, see Overview of VPC Service Controls.