Storage Transfer Service supports on-premises transfers to Cloud Storage buckets protected by VPC Service Controls, under the following conditions:
Creating a transfer with Storage Transfer Service API protects all transferred data.
Creating a transfer with Google Cloud console protects only file contents. File metadata, such as file names and file sizes, are not protected.
This guide describes the setup required to use Storage Transfer Service to transfer to Cloud Storage buckets within security perimeters.
To learn more about VPC Service Controls, see Overview of VPC Service Controls.
For information about using VPC Service Controls with Storage Transfer Service, see Using Storage Transfer Service with VPC Service Controls.
To use Storage Transfer Service with VPC Service Controls, the following items need to be located within the same service perimeter:
- The project used to create on-premises transfer jobs
- The destination Cloud Storage bucket.
Use either of the following methods to configure transfer agents to work with VPC Service Controls:
If transfer agents must remain outside of the service perimeter that contains your Cloud Storage bucket and Storage Transfer Service project, add the agents to an access level.
This method is easier to set up, and allows transfer agents to access Google Cloud resources inside and outside the service perimeter.
If transfer agents can be added to the service perimeter that contains your Cloud Storage bucket and Storage Transfer Service project, configure Private Google Access with VPC Service Controls for the on-premises network used by transfer agents.
This method requires more steps to complete, and transfer agents are able to access only the Google Cloud resources within the service perimeter.
Adding agents to an access level
To add transfer agents to an access level:
Determine how you will add agents to an access level: by IP address or by service accounts.
Add the agents to an access level:
To add agents' IP addresses to an access level, follow the instructions in Limit access on a corporate network.
To add agents' service account to an access level, follow the instructions in Limit access by user or service account.
Using Private Google Access with VPC Service Controls
To use Private Google Access with VPC Service Controls:
Create a service perimeter to restrict the following services:
- Cloud Storage
- Storage Transfer Service
Create transfer jobs in a project that is within the service perimeter. This ensures that Pub/Sub resources are within the service perimeter and therefore accessible by transfer agents.
To troubleshoot errors, see Troubleshooting VPC Service Controls errors.