VPC Service Controls with Dataplex

This document describes how to secure your Dataplex services using VPC Service Controls (VPC-SC).

VPC Service Controls provides additional security for your Dataplex services to help mitigate the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that protect resources and services from requests that cross the perimeter. For more information, see Overview of VPC Service Controls.

Dataplex resources are exposed on the dataplex.googleapis.com API, which lets you perform service-level operations, such as creation and deletion of services.

You set up VPC Service Controls with Dataplex by restricting connectivity to this API surface.

Limitations

Before you create Dataplex resources, set up the VPC Service Controls security perimeter. Otherwise, your resources don't have perimeter protection. Dataplex supports the following resource types:

Lake
Data profile scan
Data quality scan

Configure the Virtual Private Cloud (VPC) network

You can configure the VPC network to restrict Private Google Access with respect to a service perimeter. This ensures that hosts on your VPC or on-premises network can only communicate with Google APIs and services that are supported by VPC Service Controls in ways which conform to the associated perimeter's policy.

For more information, see Setting up private connectivity to Google APIs and services.

Create a service perimeter

When you create a service perimeter, you select the Dataplex projects that you want the VPC Service Controls service perimeter to protect.

To create a service perimeter, follow the instructions in Create a service perimeter.

Add more projects to the service perimeter

To add existing Dataplex projects to the perimeter, follow the instructions in Update a service perimeter.

Add the Dataplex API to the service perimeter

To mitigate the risk of your data being exfiltrated from Dataplex, for example, using Dataplex APIs, you must restrict the Dataplex API.

To add Dataplex API as a restricted service, follow these steps:

Console

In the Google Cloud console, go to the VPC Service Controls page.

Go to VPC Service Controls
On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
Click Edit Perimeter.
On the Edit VPC Service Perimeter page, click Add Services.
Add Dataplex API.
Click Save.

gcloud

Use the gcloud access-context-manager perimeters update command:
```
gcloud access-context-manager perimeters update PERIMETER_ID \
--policy=POLICY_ID \
--add-restricted-services=dataplex.googleapis.com
```
Replace the following:
- PERIMETER_ID: the ID of the perimeter or the fully qualified identifier for the perimeter
- POLICY_ID: the ID of the access policy

Optional: Create an access level

To permit external access to protected resources inside a perimeter, you can use access levels. Access levels apply only to requests for protected resources coming from outside the service perimeter. You can't use access levels to give protected resources permission to access data and services outside the perimeter.

For more information, see Allow access to protected resources from outside a perimeter.

What's next

Learn more about VPC Service Controls.
Learn more about Dataplex access control with IAM.
Learn more about Dataplex security.