Menggunakan Kontrol Layanan VPC dengan Cloud Data Fusion
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Jika berencana membuat instance Cloud Data Fusion dengan alamat IP pribadi,
Anda dapat memberikan keamanan tambahan dengan terlebih dahulu menetapkan perimeter keamanan
untuk instance menggunakan VPC Service Controls (VPC-SC).
Perimeter keamanan VPC-SC di sekitar instance Cloud Data Fusion pribadi dan resource Google Cloud lainnya membantu memitigasi risiko pemindahan data yang tidak sah. Misalnya, dengan Kontrol Layanan VPC, jika pipeline Cloud Data Fusion membaca data dari resource yang didukung, seperti set data BigQuery, yang berada dalam perimeter, lalu mencoba menulis output ke resource di luar perimeter, pipeline akan gagal.
Resource Cloud Data Fusion ditampilkan di dua platform API:
Platform API bidang kontrol datafusion.googleapis.com, yang memungkinkan Anda menjalankan operasi tingkat instance, seperti pembuatan dan penghapusan instance.
Platform API bidang data datafusion.googleusercontent.com (UI Web Cloud Data Fusion di konsol Google Cloud ), yang dijalankan di instance Cloud Data Fusion untuk membuat dan menjalankan pipeline data.
Anda menyiapkan Kontrol Layanan VPC dengan Cloud Data Fusion dengan
membatasi konektivitas ke kedua platform API ini.
Strategi:
Pipeline Cloud Data Fusion dijalankan di cluster Dataproc.
Untuk melindungi cluster Dataproc dengan perimeter layanan,
ikuti petunjuk untuk
menyiapkan konektivitas pribadi
agar cluster dapat berfungsi di dalam perimeter.
Jangan gunakan plugin yang menggunakan Google Cloud API yang tidak didukung oleh
Kontrol Layanan VPC.
Jika Anda menggunakan plugin yang tidak didukung, Cloud Data Fusion akan memblokir panggilan API,
sehingga menyebabkan kegagalan pratinjau dan eksekusi pipeline.
Untuk menggunakan Cloud Data Fusion dalam perimeter layanan Kontrol Layanan VPC, tambahkan atau konfigurasikan beberapa entri DNS untuk mengarahkan domain berikut ke VIP (alamat IP Virtual) yang dibatasi:
datafusion.googleapis.com
*.datafusion.googleusercontent.com
*.datafusion.cloud.google.com
Batasan:
Buat perimeter keamanan Kontrol Layanan VPC sebelum membuat
instance pribadi Cloud Data Fusion. Perlindungan perimeter untuk
instance yang dibuat sebelum menyiapkan Kontrol Layanan VPC tidak
didukung.
Saat ini, UI bidang data Cloud Data Fusion tidak mendukung
menentukan tingkat akses menggunakan akses berbasis identitas.
Untuk menyiapkan konektivitas pribadi ke platform data API,
konfigurasi DNS dengan menyelesaikan langkah-langkah berikut untuk domain *.datafusion.googleusercontent.com dan *.datafusion.cloud.google.com.
Jaringan: Pilih jaringan IP pribadi yang Anda pilih saat membuat instance Cloud Data Fusion.
Dari halaman Cloud DNS, klik nama zona DNS datafusiongoogleusercontent untuk membuka halaman Detail zona. Dua kumpulan data tercantum: kumpulan data NS dan SOA.
Gunakan Tambahkan Standar untuk menambahkan dua kumpulan data berikut ke zona DNS datafusiongoogleusercontent Anda.
Tambahkan data CNAME: Pada dialog Create record set, isi
kolom berikut untuk memetakan nama DNS *.datafusion.googleusercontent.com.
ke nama kanonis datafusion.googleusercontent.com:
Nama DNS: "*.datafusion.googleusercontent.com"
Nama kanonis: "datafusion.googleusercontent.com"
Tambahkan data A: Di dialog Create record set baru, isi
kolom berikut untuk memetakan nama DNS datafusion.googleusercontent.com.
ke alamat IP 199.36.153.4 - 199.36.153.7:
Nama DNS: ".datafusion.googleusercontent.com"
Alamat IPv4:
199.36.153.4
199.36.153.5
199.36.153.6
199.36.153.7
Halaman Detail zonadatafusiongoogleusercontent menampilkan
kumpulan data berikut:
Ikuti langkah-langkah di atas untuk membuat zona DNS pribadi dan menambahkan kumpulan data untuk domain *.datafusion.cloud.google.com.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eVPC Service Controls enhances security for private Cloud Data Fusion instances by creating a security perimeter to mitigate data exfiltration risks.\u003c/p\u003e\n"],["\u003cp\u003eTo utilize VPC Service Controls with Cloud Data Fusion, it is necessary to restrict connectivity to both the \u003ccode\u003edatafusion.googleapis.com\u003c/code\u003e control plane API surface and the \u003ccode\u003edatafusion.googleusercontent.com\u003c/code\u003e data plane API surface.\u003c/p\u003e\n"],["\u003cp\u003eCloud Data Fusion's service perimeter can be configured by setting up private connectivity for Dataproc clusters and avoiding unsupported plugins.\u003c/p\u003e\n"],["\u003cp\u003eSetting up VPC Service Controls for Cloud Data Fusion instances involves configuring DNS entries to point \u003ccode\u003edatafusion.googleapis.com\u003c/code\u003e, \u003ccode\u003e*.datafusion.googleusercontent.com\u003c/code\u003e, and \u003ccode\u003e*.datafusion.cloud.google.com\u003c/code\u003e domains to the restricted VIP.\u003c/p\u003e\n"],["\u003cp\u003eVPC Service Control perimeters should be established before creating a private Cloud Data Fusion instance, as protecting existing instances created before the perimeter is set up is unsupported.\u003c/p\u003e\n"]]],[],null,["# Use VPC Service Controls with Cloud Data Fusion\n\nIf you plan to create a [Cloud Data Fusion instance with a private IP address](/data-fusion/docs/how-to/create-private-ip),\nyou can provide additional security by first establishing a security perimeter\nfor the instance using [VPC Service Controls (VPC-SC)](/vpc-service-controls/docs/overview).\nThe VPC-SC security perimeter around the private\nCloud Data Fusion instance and other Google Cloud resources helps\nmitigate the risk of data exfiltration. For example, with\nVPC Service Controls, if a Cloud Data Fusion pipeline reads data\nfrom a [supported resource](/vpc-service-controls/docs/supported-products),\nsuch as a BigQuery dataset, located within the perimeter,\nthen tries to write the output to a resource outside the perimeter, the pipeline\nwill fail.\n\nCloud Data Fusion resources are exposed on two API surfaces:\n\n1. The `datafusion.googleapis.com` control plane API surface, which\n allows you to perform instance-level operations, such as the creation and\n deletion of instances.\n\n2. The `datafusion.googleusercontent.com` data plane API surface (the\n [Cloud Data Fusion Web UI](/data-fusion/docs/concepts/overview#using_the_code-free_web_ui)\n in the Google Cloud console), which executes on a Cloud Data Fusion\n instance to create and execute data pipelines.\n\nYou set up VPC Service Controls with Cloud Data Fusion by\nrestricting connectivity to both of these API surfaces.\n\nStrategies:\n\n- Cloud Data Fusion pipelines are executed on Dataproc clusters.\n To protect a Dataproc cluster with a service perimeter,\n follow the instructions for\n [setting up private connectivity](/vpc-service-controls/docs/set-up-private-connectivity)\n to allow the cluster to function inside the perimeter.\n\n- Don't use plugins that use Google Cloud APIs that are not [supported by\n VPC Service Controls](/vpc-service-controls/docs/supported-products).\n If you use unsupported plugins, Cloud Data Fusion will block the API calls,\n resulting in pipeline preview and execution failure.\n\n- To use Cloud Data Fusion within a VPC Service Controls service\n perimeter, add or configure several DNS entries to point the\n following domains to the restricted VIP (Virtual IP address):\n\n - `datafusion.googleapis.com`\n - `*.datafusion.googleusercontent.com`\n - `*.datafusion.cloud.google.com`\n\nLimitations:\n\n- Establish the VPC Service Controls security perimeter before creating your\n Cloud Data Fusion private instance. Perimeter protection for\n instances created prior to setting up VPC Service Controls is not\n supported.\n\n- Currently, the Cloud Data Fusion data plane UI does not support\n specifying access levels using [identity based access](/access-context-manager/docs/create-basic-access-level#members-example).\n\nRestricting Cloud Data Fusion API surfaces\n------------------------------------------\n\n### Restricting the control plane surface\n\nSee [Setting up private connectivity to Google APIs and services](/vpc-service-controls/docs/set-up-private-connectivity)\nto restrict connectivity to the `datafusion.googleapis.com` API control plane\nsurface.\n\n### Restricting the data plane surface\n\nTo set up private connectivity to the API data plane,\nconfigure DNS by completing the following steps for both the `*.datafusion.googleusercontent.com` and `*.datafusion.cloud.google.com` domains.\n\n1. Create a new private [zone using Cloud DNS](https://console.cloud.google.com/net-services/dns/zones):\n\n 1. Zone type: Check **private**\n 2. Zone name: datafusiongoogleusercontentcom\n 3. DNS name: datafusion.googleusercontent.com\n 4. Network: Select the private IP network you chose when you created your\n Cloud Data Fusion instance.\n\n2. From the [Cloud DNS](https://console.cloud.google.com/net-services/dns/zones) page, click your\n `datafusiongoogleusercontent` DNS zone name to open the\n **Zone details** page. Two records are listed: an NS and an SOA record.\n Use **Add Standard** to add the following two record sets to your\n datafusiongoogleusercontent DNS zone.\n\n 1. Add a CNAME record: In the **Create record set** dialog, fill\n in the following fields to map DNS name `*.datafusion.googleusercontent.com.`\n to the canonical name `datafusion.googleusercontent.com`:\n\n - DNS name: \"\\*.datafusion.googleusercontent.com\"\n - Canonical name: \"datafusion.googleusercontent.com\"\n\n 2. Add an A record: In a new **Create record set** dialog, fill\n in the following fields to map DNS name `datafusion.googleusercontent.com.`\n to IP addresses `199.36.153.4` - `199.36.153.7`:\n\n - DNS name: \".datafusion.googleusercontent.com\"\n - IPv4 address:\n\n - 199.36.153.4\n - 199.36.153.5\n - 199.36.153.6\n - 199.36.153.7\n\n The `datafusiongoogleusercontent` **Zone details** page shows the\n following record sets:\n3. Follow the above steps to create a private DNS zone and add a record set\n for the `*.datafusion.cloud.google.com` domain.\n\nWhat's next\n-----------\n\n- Learn about [Creating a private instance](/data-fusion/docs/how-to/create-private-ip).\n- Learn more about [VPC Service Controls](/vpc-service-controls/docs)."]]
