Set up VPC Service Controls for Integration Connectors

VPC Service Controls lets you define a security perimeter around the Integration Connectors Google Cloud service. With the security perimeter around your service, you can constrain data within a VPC Service Controls perimeter and mitigate data exfiltration risks. If you are not already familiar with VPC Service Controls, it is recommended that you go through the following information:

This document describes how to restrict access to Integration Connectors service (connectors.googleapis.com) by using the VPC Service Controls perimeter. After setting up the perimeter, you can configure policies that determine what other Google Cloud services or users can access the connectors.googleapis.com service.

Considerations

If your connection is connecting to a Google Cloud resource, then that resource must be accessible from within the VPC Service Controls perimeter.
If you have existing connections to a public endpoint, before setting up the VPC Service Controls perimeter, ensure that such connections use the PSC (Private Service Connect) attachment to connect the backend systems. Without the PSC attachment, existing connections to a public endpoint will fail after you set up the VPC Service Controls perimeter.
If your connection is connecting to a non-Google Cloud resource, the destination of the connection should be a PSC attachment. Connections created without the PSC attacment will fail.
If you are setting up a VPC Service Controls perimeter for your Google Cloud project, you can't use the event subscription feature for the project.

Before you begin

Ensure that you have the required permissions to configure VPC Service Controls perimeters. To view a list of IAM roles required to configure VPC Service Controls, see Access control with IAM in the VPC Service Controls documentation.

Create a VPC Service Controls perimeter

To create a VPC Service Controls perimeter you can use either the Google Cloud console, or the gcloud command, or the accessPolicies.servicePerimeters.create API. For more information, see Create a service perimeter.

The following steps show how to create a VPC Service Controls perimeter with a user access enabled by using the gcloud commands.

Create an access.yaml file having the details of the user who is allowed to access the perimeter. For example:
```
- members:
    - user:USER_EMAIL
```
Get your organization's access policy ID by using the following command:

gcloud access-context-manager policies list --organization=ORGANIZATION_ID

This command lists all the policies for the organization. From the list, select the policy for which you want to create the VPC Service Controls perimeter.

You can view your organization's resource ID by using the Google Cloud console. For more information, see Getting your organization resource ID.

Create access level for the user.

gcloud access-context-manager levels create ACCESS_LEVEL_NAME \
--title "CUSTOM_TITLE" \
--basic-level-spec access.yaml \
--policy=POLICY_ID

In this command, POLICY_ID, is the value that you got from the previous step.

In your Google Cloud project's global settings, set the value of the vpcsc attribute to true.

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{"vpcsc": true}' \
https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/global/settings

This command returns an operation ID and starts a long-running operation (LRO) which may take some time to complete. Wait for the LRO to complete. You can track the progress of the operation by using the following command:

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/global/operations/OPERATION_ID

Create the VPC Service Controls perimeter and provide access to the user.

gcloud access-context-manager perimeters create PERIMETER_NAME \
--title="PERIMETER_TITLE" \
--resources=projects/PROJECT_ID \
--restricted-services=connectors.googleapis.com \
--access_levels=ACCESS_LEVEL_NAME

This command takes some time to complete, during which you can run other tasks in a new terminal.

If want to update the access level, and add the connectors.googleapis.com service to an existing perimeter, run the following command:

gcloud access-context-manager perimeters update PERIMETER_NAME \
--add-restricted-services="connectors.googleapis.com" \
--add-access-levels=ACCESS_LEVEL_NAME \
--policy=POLICY_ID

Verify your perimeter

To verify the perimeter, use the gcloud access-context-manager perimeters describe PERIMETER_NAME command. For example:

gcloud access-context-manager perimeters describe PERIMETER_NAME

For more information, see Managing service perimeters.

Remove a project from the VPC Service Controls perimeter

To remove your Google Cloud project from the VPC Service Controls perimeter, perform the following steps:

In your Google Cloud project's global settings, set the value of the vpcsc attribute to false.

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{"vpcsc": false}' \
https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/global/settings

curl -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://connectors.googleapis.com/v1/projects/PROJECT_ID/locations/global/operations/OPERATION_ID

Remove your project from the VPC Service Controls perimeter.

gcloud access-context-manager perimeters update accessPolicies/POLICY_ID/servicePerimeters/PERIMETER_NAME

What's next

Learn how VPC Service Controls protects your data.