VPC Service Controls can help your organization mitigate data exfiltration risks from Google-managed services like Cloud Storage and BigQuery. This page shows how Data Catalog interacts with resources inside a VPC Service Controls service perimeter.
The examples in this document use BigQuery to demonstrate how Data Catalog interacts with perimeters. However, Data Catalog respects perimeters around all Google storage systems in the same way, including Cloud Storage and Pub/Sub.
Example
To understand how Data Catalog interacts with perimeters, consider the following diagram.
In the diagram, there are two Google Cloud projects:
Project A and Project B. A service perimeter is established around
Project A, and the BigQuery service is protected by the
perimeter. The user hasn't been granted access to the perimeter through an
allowlisted IP or a
user identity.
Project B isn't inside the perimeter.
Project B but not Project A.
The following is the result of this configuration:
- Data Catalog continues to sync BigQuery metadata from both projects.
- The user can access data and metadata for
Project Bfrom BigQuery, and search or tag its metadata with Data Catalog. - The user can't access
Project Adata in BigQuery, as they're blocked by the perimeter. The user also can'no't search or tag its metadata with Data Catalog.
Custom integrated assets
Data Catalog is capable of integrating assets from other clouds and on-premises data sources. They are called custom integrated assets. If Data Catalog isn't added to the VPC Service Controls perimeter, users can still access custom integrated assets, even for projects in perimeters where they aren't allowlisted.
In the following example, custom integrated assets have been added to both
Project A and Project B from the first example. The user in
this example still don't have perimeter access.
Project B and custom integrated metadata in
Projects A and B.
The following is the result of this configuration:
- The user can access data and metadata for
Project Bfrom BigQuery, and search or tag its metadata with Data Catalog. - The user can't access
Project Adata or metadata from BigQuery because they're blocked by the perimeter. They also can't search or tag its metadata with Data Catalog. - The user can use Data Catalog to search or tag metadata for the
custom integrated assets in both
Project AandProject B.
Limiting access to custom integrated assets
You can limit access to custom integrated assets by using a service perimeter
to protect the Data Catalog API. The following example expands on
the second example by adding a perimeter around the
Data Catalog service for Project B:
Project B, and
custom integrated metadata in Project A.
The following is the result of this configuration:
- Data Catalog isn't added to the perimeter for
Project A, so the user can search or tag metadata for the custom integrated assets inProject A. - Data Catalog is added to the perimeter for
Project B, so the user can't search or tag metadata for the custom integrated assets inProject B. - As in the first example, the user can't access
Project Adata or metadata from BigQuery because they're blocked by the perimeter. They also can't search or tag BigQuery metadata with Data Catalog. - Even though a service perimeter is established for
Project B, the BigQuery service is added to it. This means that the user can accessProject Bdata or metadata from BigQuery, and search or tag BigQuery metadata with Data Catalog.
Data lineage support
Data Lineage is supported by restricted Virtual IP (VIP). For more information, see Services supported by the restricted VIP.