Using Transfer for on-premises with VPC Service Controls

Transfer service for on-premises data (Transfer for on-premises) has beta support for on-premises transfers to Cloud Storage buckets protected by VPC Service Controls. To use Transfer for on-premises to transfer to Cloud Storage buckets inside security perimeters, some extra setup is required.

To learn more about VPC Service Controls, see Overview of VPC Service Controls.

For information about using VPC Service Controls with Storage Transfer Service, see Using Storage Transfer Service with VPC Service Controls.

Prerequisites

To use Transfer for on-premises with VPC Service Controls, the following items need to be located within the same service perimeter:

  • The project used to create on-premises transfer jobs
  • The destination Cloud Storage bucket.

Supported configurations

Use either of the following methods to configure Transfer for on-premises agents to work with VPC Service Controls:

  • If Transfer for on-premises agents must remain outside of the service perimeter that contains your Cloud Storage bucket and Transfer for on-premises project, add the Transfer for on-premises agents to an access level.

    This method is easier to set up, and allows Transfer for on-premises agents to access Google Cloud resources inside and outside the service perimeter.

  • If Transfer for on-premises agents can be added to the service perimeter that contains your Cloud Storage bucket and Transfer for on-premises project, configure Private Google Access with VPC Service Controls for the on-premises network used by Transfer for on-premises agents.

    This method requires more steps to complete, and Transfer for on-premises agents are able to access only the Google Cloud resources within the service perimeter.

Adding agents to an access level

To add Transfer for on-premises agents to an access level:

  1. Determine how you will add agents to an access level: by IP address or by service accounts.

  2. Add the agents to an access level:

Using Private Google Access with VPC Service Controls

To use Private Google Access with VPC Service Controls:

  1. Create a service perimeter to restrict the following services:

    • Cloud Storage
    • Pub/Sub
    • Storage Transfer Service
  2. Configure Private Google Access for on-premises hosts.

  3. Create transfer jobs in a project that is within the service perimeter. This ensures that Pub/Sub resources are within the service perimeter and therefore accessible by Transfer for on-premises agents.

Troubleshooting

To troubleshoot errors, see Troubleshooting VPC Service Controls errors.