Configure VPC Service Controls for Cloud Quotas

Google Cloud Virtual Private Cloud (VPC) Service Controls lets you set up a secure perimeter to guard against data exfiltration. Configure Cloud Quotas with VPC Service Controls so that API requests to Cloud Quotas stay within the VPC service perimeter boundary.

Limitations

Because VPC Service Controls enforces boundaries at the project level, Cloud Quotas requests that originate from clients within the perimeter can only access organization resources if the organization sets up an egress rule. To set up an egress rule, see the VPC Service Controls instructions for configuring ingress and egress policies.

Enforced actions

VPC Service Controls is only enforced on the following Cloud Quotas actions:

For examples of setting QuotaPreference and QuotaInfo, see the description of the API resource model. For reference information, see the REST API overview.

Set up

Follow these steps to restrict the Cloud Quotas API to your VPC service perimeter:

  1. Follow the instructions to set up the Cloud Quotas API.

  2. Follow the VPC Service Controls Quickstart to complete the following tasks:

    1. Create a service perimeter.
    2. Add projects to the perimeter that you want to protect.
    3. Restrict the Cloud Quotas API. For example, see these instructions that add other Google Cloud APIs to the VPC service perimeter.

After setting up your service perimeter, VPC Service Controls checks calls to the Cloud Quotas API to help make sure that the calls originate from within the same perimeter.

What's next