Configure Secure Source Manager in a VPC Service Controls perimeter

This guide shows how to use a Private Service Connect Secure Source Manager in a VPC Service Controls perimeter to guard against data exfiltration.

This guide is intended for network administrators, security architects, and cloud operations professionals who want to mitigate the risk of sensitive data loss.

Before you begin

1. Create a Private Service Connect Secure Source Manager instance.
2. Create a VPC Service Controls perimeter.

Required roles

To get the permissions that you need to configure Secure Source Manager in a VPC Service Controls perimeter, ask your administrator to grant you the following IAM roles on the organization:

• Access Context Manager Admin role (roles/accesscontextmanager.policyAdmin)
• Project Creator (roles/resourcemanager.projectCreator)

Follow best practices

Careless enablement of VPC Service Controls can cause problems with existing applications and could potentially cause an outage. We recommend that you plan enablement carefully and allow ample time to gather data, conduct tests, and analyze violation logs. Make sure that stakeholders from your VPC Service Controls operations team and your applications team are available for the task.

For more information on best practices, see Best practices for enabling VPC Service Controls

Add your project to the perimeter

1. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

2. On the VPC Service Controls page, select the perimeter you want to use to protect your project.

3. On the VPC Service Control enforced config detail page, click Edit in the resources to protect section.

4. Click Resources to protect and add your project ID.

5. Click Save.

Add Secure Source Manager as a restricted service

1. In the Google Cloud console, go to the VPC Service Controls page.

   Go to VPC Service Controls

2. On the VPC Service Controls page, select the perimeter you added your project to.

3. On the VPC Service Control enforced config detail page, click Edit in the Restricted services section.

4. Click Add services.

5. In the Specify services to restrict dialog, select the checkbox next to Secure Source Manager. You can use the filter query to locate Secure Source Manager in the list.

6. Click Save.

After you update a service perimeter, it can take up to 30 minutes for the changes to propagate and take effect. During this time, the perimeter might block requests with the following error message:

Error 403: Request is prohibited by organization's policy.

What's next

• Learn more about Private Service Connect.
• Learn more about Connecting to VMs without external IP addresses.