Using VPC Service Controls

VPC Service Controls is a Google Cloud feature that allows you to set up a secure perimeter to guard against data exfiltration. This guide shows how to use VPC Service Controls with Cloud Run to add additional security to your services.

Limitations and advisories for this preview release

  • For Artifact Registry or Container Registry:

    • The registry where you store your container must be in the same VPC Service Controls service perimeter as the project you're deploying to.
    • The code being built must be in the same perimeter as the registry that the container is being pushed to.
  • The continuous deployment feature is not available for projects inside a VPC Service Controls perimeter.

Setting up your organization to support VPC Service Controls

To use VPC Service Controls with Cloud Run, you must configure a service perimeter at the organization level. This setup ensures that VPC Service Controls checks are enforced when using Cloud Run and that developers can only deploy services that comply with VPC Service Controls.

Setting up a VPC Service Controls perimeter

To set up a service perimeter, you need the Organization Viewer (roles/resourcemanager.organizationViewer) and Access Context Manager Editor (roles/accesscontextmanager.policyEditor) roles.

Follow the VPC Service Controls Quickstart to:

  1. Create a service perimeter.
  2. Add one or more projects to the perimeter.

  3. Restrict the Cloud Run API.

As a result of setting up your service perimeter, all calls to the Cloud Run Admin API will be checked to ensure that the calls originate from within the same perimeter.

Enabling perimeter access for development machines (optional)

To manage services with the Cloud Run API, the Cloud Run UI in the Cloud Console, or the gcloud command-line tool, choose one of the following options:

  • Use a machine inside the VPC Service Controls perimeter. For example, you can use a Compute Engine VM or an on-premises machine connected to your VPC network via VPN.

Setting up your project to support VPC Service Controls

For individual projects within the service perimeter, you must perform additional configuration to use VPC Service Controls.

Configuring VPC networks

This section shows how to configure your VPC network so that requests sent to the regular googleapis.com virtual IP are automatically routed to the restricted restricted virtual IP (VIP) range, 199.36.153.4/30 (restricted.googleapis.com) where your Cloud Run service is serving. Note that no code changes are needed.

For each VPC network in a project, follow these steps to block outbound traffic except for traffic to the restricted VIP range:

  1. Configure firewall rules to prevent data from leaving the VPC network:

    • Create a deny egress rule that blocks all outbound traffic.

    • Create an allow egress rule that permits traffic to 199.36.153.4/30 on TCP port 443. Ensure that it has a priority before the deny egress rule you just created—this allows egress only to the restricted VIP range.

  2. Configure DNS to resolve *.googleapis.com to restricted.googleapis.com.

  3. Configure DNS with an A record mapping *.run.app to the 199.36.153.4/30 IP range. You can do this with Cloud DNS:

    gcloud dns managed-zones create ZONE_NAME \
    --visibility=private \
    --networks=https://www.googleapis.com/compute/v1/projects/PROJECT_NAME/global/networks/default \
    --description=none \
    --dns-name=run.app
    
    gcloud dns record-sets transaction start --zone=ZONE_NAME
    
    gcloud dns record-sets transaction add --name=*.run.app. \
    --type=A 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \
    --zone=ZONE_NAME \
    --ttl=300
    
    gcloud dns record-sets transaction execute --zone=ZONE_NAME
    

At this point, requests originating from within the VPC network:

  • are not able to leave the VPC network, preventing egress outside the service perimeter.
  • can only reach Google APIs and services that check VPC Service Controls, preventing exfiltration through Google APIs.

Deploying VPC Service Controls-compliant Cloud Run services

After VPC Service Controls is configured for Cloud Run, make sure all services deployed within the service perimeter enable VPC Service Controls. This means that:

  • All services must use a Serverless VPC Access connector. See Connecting to a VPC network for more information.
  • All services must allow only traffic from internal sources. See Ingress settings for more information.
  • All services must route all outgoing traffic through the VPC network. See Egress settings for more information.

Google recommends that you periodically audit your services to make sure your ingress and egress settings conform with the requirements, and update or redeploy services as necessary. For example, you could create a script that uses the Cloud Run Admin API to list your services and highlight those that do not specify the proper network settings.