This document describes how to add ingress and egress rules to allow Vulnerability Assessment for Google Cloud to scan VMs in your VPC Service Controls perimeters. Perform this task if your organization uses VPC Service Controls to restrict services in projects that you want Vulnerability Assessment for Google Cloud to scan. For more information about Vulnerability Assessment for Google Cloud, see Enable and use Vulnerability Assessment for Google Cloud for Google Cloud.
Before you begin
          
            Make sure that you have the following role or roles on the organization:
          
          Access Context Manager Editor
(roles/accesscontextmanager.policyEditor).
        
Check for the roles
- 
              In the Google Cloud console, go to the IAM page. Go to IAM
- Select the organization.
- 
              In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator. 
- For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
Grant the roles
- 
              In the Google Cloud console, go to the IAM page. Go to IAM
- Select the organization.
- Click Grant access.
- 
              In the New principals field, enter your user identifier. This is typically the email address for a Google Account. 
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
Create the egress and ingress rules
To allow Vulnerability Assessment for Google Cloud to scan the VMs in VPC Service Controls perimeters, add the required egress and ingress rules in those perimeters. Perform these steps for each perimeter that you want Vulnerability Assessment for Google Cloud to scan.
For more information, see Updating ingress and egress policies for a service perimeter in the VPC Service Controls documentation.
Console
- 
        
          In the Google Cloud console go to the VPC Service Controls page. 
- Select your organization or project.
- 
            In the drop-down list, select the access policy that contains the service perimeter that you want to grant access to. The service perimeters associated with the access policy appear in the list. 
- 
            Click the name of the service perimeter that you want to update. To find the service perimeter you need to modify, you can check your logs for entries that show RESOURCES_NOT_IN_SAME_SERVICE_PERIMETERviolations. In those entries, check theservicePerimeterNamefield:accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME 
- Click Edit.
- Click Egress policy.
- Click Add an egress rule.
- 
          In the From section, set the following details: - For Identities > Identity, select Select identities & groups.
- Click Add identities.
- 
              Enter the email address of the Cloud Security Command Center Service Agent. The service agent's address has the following format: service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com Replace ORGANIZATION_IDwith your organization ID.
- Select the service agent or press ENTER, and then click Add identities.
 
- 
          In the To section, set the following details: - For Resources > Projects, select All projects.
- For Operations or IAM roles, select Select operations.
- 
              Click Add operations, and then add the following operations: - Add the compute.googleapis.com service.
                    
                      - Click Select methods.
- 
                          Select the DisksService.Insert method. 
- Click Add selected methods.
 
 
- Add the compute.googleapis.com service.
                    
                      
 
- Click Ingress policy.
- Click Add an ingress rule.
- 
          In the From section, set the following details: - For Identities > Identity, select Select identities & groups.
- Click Add identities.
- 
              Enter the email address of the Security Center service agent. The service agent's address has the following format: service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com Replace ORGANIZATION_IDwith your organization ID.
- Select the service agent or press ENTER, and then click Add identities.
- For Sources, select All sources.
 
- 
          In the To section, set the following details: - For Resources > Projects, select All projects.
- For Operations or IAM roles, select Select operations.
- 
              Click Add operations, and then add the following operations: - Add the compute.googleapis.com service.
                    
                      - Click Select methods.
- 
                          Select the following methods: - DisksService.Insert
- InstancesService.AggregatedList
- InstancesService.List
 
- Click Add selected methods.
 
 
- Add the compute.googleapis.com service.
                    
                      
 
- Click Save.
gcloud
- 
          If a quota project isn't already set, then set it. Choose a project that has the Access Context Manager API enabled. gcloud config set billing/quota_project QUOTA_PROJECT_ID Replace QUOTA_PROJECT_IDwith the ID of the project that you want to use for billing and quota.
- 
          Create a file named egress-rule.yamlwith the following contents:- egressFrom: identities: - serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com egressTo: operations: - serviceName: compute.googleapis.com methodSelectors: - method: DisksService.Insert resources: - '*' Replace ORGANIZATION_IDwith your organization ID.
- 
          Create a file named ingress-rule.yamlwith the following contents:- ingressFrom: identities: - serviceAccount:service-org-ORGANIZATION_ID@security-center-api.iam.gserviceaccount.com sources: - accessLevel: '*' ingressTo: operations: - serviceName: compute.googleapis.com methodSelectors: - method: DisksService.Insert - method: InstancesService.AggregatedList - method: InstancesService.List resources: - '*' Replace ORGANIZATION_IDwith your organization ID.
- 
          Add the egress rule to the perimeter: gcloud access-context-manager perimeters update PERIMETER_NAME \ --set-egress-policies=egress-rule.yaml Replace the following: - 
              PERIMETER_NAME: the name of the perimeter. For example,accessPolicies/1234567890/servicePerimeters/example_perimeter.To find the service perimeter you need to modify, you can check your logs for entries that show RESOURCES_NOT_IN_SAME_SERVICE_PERIMETERviolations. In those entries, check theservicePerimeterNamefield:accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME 
 
- 
              
- 
          Add the ingress rule to the perimeter: gcloud access-context-manager perimeters update PERIMETER_NAME \ --set-ingress-policies=ingress-rule.yaml Replace the following: - 
              PERIMETER_NAME: the name of the perimeter. For example,accessPolicies/1234567890/servicePerimeters/example_perimeter.To find the service perimeter you need to modify, you can check your logs for entries that show RESOURCES_NOT_IN_SAME_SERVICE_PERIMETERviolations. In those entries, check theservicePerimeterNamefield:accessPolicies/ACCESS_POLICY_ID/servicePerimeters/SERVICE_PERIMETER_NAME 
 
- 
              
See Ingress and egress rules for more information.