VPC Service Controls helps you reduce the risk of unauthorized copying or transfer of data from your Google-managed services.
With VPC Service Controls, you can configure service perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.
Create a service perimeter
To create a service perimeter, follow the VPC Service Controls guide to creating a service perimeter.
When you design the service perimeter, include the following services:
- Migration Center API (
migrationcenter.googleapis.com) - RMA API (
rapidmigrationassessment.googleapis.com) - Cloud Storage API (
storage.googleapis.com) - Resource Manager API (
cloudresourcemanager.googleapis.com) - Cloud Logging API (
logging.googleapis.com)
Allow traffic with inbound data transfer rules
By default, the service perimeter is designed to prevent inbound data transfer from services outside of the perimeter. If you plan to use data import to upload data from outside the perimeter, or use the discovery client to collect your infrastructure data, configure data access rules to allow this.
Enable data import
To enable data import, specify the inbound data transfer rules using the following syntax:
- ingressFrom:
identities:
- serviceAccount: SERVICE_ACCOUNT
sources:
- accessLevel: \"*\"
- ingressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: google.storage.buckets.testIamPermissions
- method: google.storage.objects.create
resources:
- projects/PROJECT_ID
Replace the following:
SERVICE_ACCOUNT: the per-product, per-project service account that you use to upload data to Migration Center, with the following format:service-PROJECT_NUMBER@gcp-sa-migcenter.iam.gserviceaccount.com.Here
PROJECT_NUMBERis the unique identifier of the Google Cloud project where you enabled the Migration Center API. For more information on project numbers, see Identifying projects.PROJECT_ID: the ID of the project inside the perimeter that you want to upload the data to.
You can't use
ANY_SERVICE_ACCOUNT and ANY_USER_ACCOUNT
identity types with signed URLs.
For more information, see
Allow access to protected resources from outside the perimeter.
Enable data collection with discovery client
To enable data collection with the discovery client, specify the inbound data transfer rules with the following syntax:
- ingressFrom:
identities:
- serviceAccount: SERVICE_ACCOUNT
sources:
- accessLevel: \"*\"
- ingressTo:
operations:
- serviceName: storage.googleapis.com
methodSelectors:
- method: \"*\"
resources:
- projects/PROJECT_ID
Replace the following:
SERVICE_ACCOUNT: the service account that you used to create the discovery client. For more information, review the discovery client installation process.PROJECT_ID: the ID of the project inside the perimeter that you want to upload the data to.
Limitations
The following limitations apply when you enable the service perimeter.
StratoZone
StratoZone is not compliant with VPC Service Controls. If you try to enable the StratoZone integration with Migration Center after creating the service perimeter, you receive an error.
However, if you enabled the StratoZone integration before creating the service perimeter, you can still access StratoZone and the data already collected, but Migration Center doesn't send any new data to StratoZone.
Exporting reports
Exporting the detailed pricing report is not supported in the service perimeter.