Storage Transfer Service has beta support for transfers to Cloud Storage buckets protected by VPC Service Controls.
Storage Transfer Service requires access to Cloud Storage buckets in order to move data into or between Cloud Storage buckets. If you have buckets that are within a VPC Service Controls service perimeter, then you need to do some extra setup to to use Storage Transfer Service to transfer data to Cloud Storage.
To protect your
TransferOperation requests, you can
add the Storage Transfer Service API as a protected service to your service perimeters.
To protect the underlying Cloud Storage buckets and objects, you also need to
add the Cloud Storage API as a protected service to your service
To learn more about VPC Service Controls, see Overview of VPC Service Controls.
For information about using VPC Service Controls with Transfer service for on-premises data, see Using Transfer for on-premises with VPC Service Controls.
You can configure Storage Transfer Service to work with Cloud Storage buckets protected by VPC Service Controls with the following methods:
If you can change your Cloud Storage buckets to be located within a single service perimeter, or all of your Cloud Storage buckets are within the same service perimeter, you can add your Storage Transfer Service project to the service perimeter of your Cloud Storage buckets.
This method is for transfers only between Cloud Storage buckets. It is the easiest method to set up and manage.
If you cannot change the service perimeters of your Cloud Storage buckets, or you have Cloud Storage buckets in different service perimeters create a perimeter bridge to all projects that contain the Cloud Storage buckets you want to transfer data to.
This method allows your Storage Transfer Service project to transfer data between your Cloud Storage projects, even if both projects are in different service perimeters. This method also ensures that access to your Cloud Storage bucket perimeters are from a restricted set of services and resources.
If you fall into any of the following situations:
- You want to transfer data from an external cloud provider to a Cloud Storage bucket within a service perimeter.
- Your Storage Transfer Service project is outside of your Cloud Storage bucket's service perimeter.
- Your service account doesn't fit the form
email@example.com, even if the service account belongs to a project inside a perimeter.
This method doesn't require you to place the Storage Transfer Service project within a service perimeter, and allows you to configure the access level to only allow requests from the Storage Transfer Service service account.
To use a service perimeter, follow the instructions in Create a service perimeter to include the following projects:
- Cloud Storage bucket projects
And to protect the following services:
- Cloud Storage API (storage.googleapis.com)
- Storage Transfer Service API (storagetransfer.googleapis.com)
To use a perimeter bridge:
- Cloud Storage bucket projects
After you create your access level, add the access level to your service perimeter that restricts access to the Google Cloud projects containing your Cloud Storage buckets.
For help troubleshooting, see VPC Service Controls Troubleshooting.