Using a combination of Shared Virtual Private Cloud (VPC) networks, organization policy constraints, and firewall rules, you can set up a security perimeter that ensures your Confidential VM instances can only interact with other Confidential VM instances. This security perimeter can be established around Confidential VM instances that reside inside the same project or in separate projects.
Before you begin
To create a security perimeter, you need the following administrative roles:
- Shared VPC Admin (
- Service Project Admin (
Create a Confidential VM perimeter
To create a security perimeter around your Confidential VM instances, do the following:
- Create a folder under the
confidential-perimeterthat defines your Confidential VM perimeter.
- Inside the folder, create a shared VPC host project that defines the perimeter for Confidential Computing.
Once you've created a VPC host project, share the project by granting your networking team access.
Enforce the perimeter
To prevent service projects from allowing non-Confidential VM instances
from interacting with the perimeter,
following organization policy
confidential-perimeter folder as indicated:
||This forces all service projects to create Confidential VM instances only.|
||This prevents projects inside the perimeter from creating another Shared
VPC host project. Replace FOLDER_ID with the
||This prevents service projects from peering network and network connections outside of the perimeter.|
||This forces all Confidential VM instances in service projects to use internal IPs.|
||This prevents all VM instances from defining an Internet-visible ingress point. You may override this for specific projects in your perimeter that should have ingress—for example, your DMZ.|
To control the allowed network egress outside of the perimeter, use VPC firewall rules.
You can use VPC Service Controls to extend the security perimeter to cover Google Cloud resources. To learn more, see Overview of VPC Service Controls.