This page provides an overview of bucket IP filtering including its benefits, how it works, supported locations, and limitations to consider.
Overview
Cloud Storage offers bucket IP filtering to manage access to your data stored in buckets.
Bucket IP filtering is a network security mechanism that restricts access to a bucket based on the source IP address of the request and secures your data from from unauthorized access.
The bucket IP filtering feature for Cloud Storage enables fine-grained access control based on IPv4 or IPv6 address ranges or the Google Cloud Virtual Private Cloud. You can configure a list of IP ranges at the bucket level and all incoming requests to the bucket are restricted to the configured IP ranges and VPCs. This feature provides a way to secure sensitive data in Cloud Storage buckets and prevent unauthorized access from specific IP addresses or VPCs.
Benefits
Bucket IP filtering for Cloud Storage offers the following benefits:
Fine-grained access control: Restrict access to your Cloud Storage buckets based on the specific IP address (IPv4 or IPv6) or Google Cloud Virtual Private Cloud of the requester. Bucket IP filtering acts as a strong network-level security layer, preventing unauthorized access from unknown or untrusted sources.
Enhanced security: By limiting access to authorized IP addresses or VPCs, you can reduce the risk of unauthorized access, data breaches, and malicious activity.
Flexible configuration: You can configure and manage lists of IP ranges at the bucket level, tailoring the access control to your specific requirements.
How does it work?
Bucket IP filtering helps you control access to your buckets by defining rules that permit requests from specific IPv4 and IPv6 addresses. Incoming requests are evaluated against these rules to determine access permissions.
A bucket IP filtering rule includes the following configurations:
Public internet access: You can define rules to manage requests originating from the public internet (outside any configured Virtual Private Cloud). These rules specify allowed IPv4 or IPv6 addresses using CIDR ranges, authorizing inbound traffic from those sources.
Virtual private cloud (VPC) access: For granular control over access from specific VPC networks, you can define rules for each network. These rules include allowed IP ranges, enabling precise management of access from your virtual network infrastructure.
Supported locations
Bucket IP filtering is available in the following locations:
asia-south1
asia-south2
asia-southeast1
asia-southeast2
asia-east1
asia-east2
europe-west1
europe-west2
us-central1
us-east1
us-east4
us-west1
Limitations
Bucket IP filtering has the following limitations:
Maximum number of public IP addresses: You can specify a maximum of 200 public IP addresses in the IP filter rules for a bucket.
Maximum number of private IP addresses: You can specify a maximum of 25 private IP addresses (or VPC networks) in the IP filter rules for a bucket.
Dual-region support: IP filtering is not supported for dual-regional buckets.
Blocked Google Cloud services: Enabling IP filtering on Cloud Storage buckets restricts access for some Google Cloud services, regardless of whether they use a service agent to interact with Cloud Storage. For example, services such as BigQuery use Cloud Storage for importing and exporting data. To prevent service disruptions, we recommend not using IP filtering on Cloud Storage buckets accessed by the following services:
- BigQuery interactions with Cloud Storage:
- Load data from Cloud Storage to BigQuery.
- Export table data from BigQuery to Cloud Storage.
- Export query results from BigQuery to Cloud Storage.
- Query from an external Cloud Storage table with BigQuery.
- Query structured data from a BigLake Cloud Storage table,
- Query unstructured data from a BigLake Cloud Storage table.
- If your App Engine applications access data in Cloud Storage, we recommend using App Engine through a Virtual Private Cloud.
- Storage Insights.
- When working with Vertex AI model artifacts, we recommend using Cloud Storage as a mounted file system.
- BigQuery interactions with Cloud Storage:
What's next
- Create IP filtering rules on a bucket.
- Update the IP filtering rules on a bucket.
- List the IP filtering rules on a bucket.
- Disable the IP filtering rules on a bucket.
- Bypass the IP filtering rules on a bucket.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how Cloud Storage performs in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Try Cloud Storage free