Using Storage Transfer Service with VPC Service Controls

Storage Transfer Service has beta support for transfers to Cloud Storage buckets protected by VPC Service Controls.

Storage Transfer Service requires access to Cloud Storage buckets in order to move data into or between Cloud Storage buckets. If you have buckets that are within a VPC Service Controls service perimeter, then you need to do some extra setup to to use Storage Transfer Service to transfer data to Cloud Storage.

To protect your TransferJob and TransferOperation requests, you can add the Storage Transfer Service API as a protected service to your service perimeters. To protect the underlying Cloud Storage buckets and objects, you also need to add the Cloud Storage API as a protected service to your service perimeter.

To learn more about VPC Service Controls, see Overview of VPC Service Controls.

For information about using VPC Service Controls with Transfer service for on-premises data, see Using Transfer for on-premises with VPC Service Controls.

Supported configurations

You can configure Storage Transfer Service to work with Cloud Storage buckets protected by VPC Service Controls with the following methods:

  • If you can change your Cloud Storage buckets to be located within a single service perimeter, or all of your Cloud Storage buckets are within the same service perimeter, you can add your Storage Transfer Service project to the service perimeter of your Cloud Storage buckets.

    This method is for transfers only between Cloud Storage buckets. It is the easiest method to set up and manage.

  • If you cannot change the service perimeters of your Cloud Storage buckets, or you have Cloud Storage buckets in different service perimeters create a perimeter bridge to all projects that contain the Cloud Storage buckets you want to transfer data to.

    This method allows your Storage Transfer Service project to transfer data between your Cloud Storage projects, even if both projects are in different service perimeters. This method also ensures that access to your Cloud Storage bucket perimeters are from a restricted set of services and resources.

  • If you fall into any of the following situations:

    • You want to transfer data from an external cloud provider to a Cloud Storage bucket within a service perimeter.
    • Your Storage Transfer Service project is outside of your Cloud Storage bucket's service perimeter.
    • Your service account doesn't fit the form project-project_number@storage-transfer-service.iam.gserviceaccount.com, even if the service account belongs to a project inside a perimeter.

    Then Add the Storage Transfer Service service account to an access level.

    This method doesn't require you to place the Storage Transfer Service project within a service perimeter, and allows you to configure the access level to only allow requests from the Storage Transfer Service service account.

Service perimeter

To use a service perimeter, follow the instructions in Create a service perimeter to include the following projects:

  • The TransferJob project
  • Cloud Storage bucket projects

And to protect the following services:

  • Cloud Storage API (storage.googleapis.com)
  • Storage Transfer Service API (storagetransfer.googleapis.com)

Perimeter bridge

To use a perimeter bridge:

  1. Create a service perimeter for Storage Transfer Service.

  2. Create a perimeter bridge to connect:

  • The TransferJob project
  • Cloud Storage bucket projects

Access level

To use an access level, follow the instructions in Creating an access level to grant access to the TransferJob service account.

After you create your access level, add the access level to your service perimeter that restricts access to the Google Cloud projects containing your Cloud Storage buckets.

Troubleshooting

For help troubleshooting, see VPC Service Controls Troubleshooting.