VPC Service Controls with VMware Engine

To further protect your Google Cloud VMware Engine resources, you can protect them using VPC Service Controls.

VPC Service Controls let you define a security perimeter for your VMware Engine resources. The service perimeter limits exporting and importing of resources and their associated data to within the defined perimeter. A basic or advanced ruleset must be added to your VPC Service Perimeter ingress and egress policies in order to successfully deploy VMware Engine private clouds and private connections.

If opting in to VPC Service Controls on a newly created project without a private cloud or any private connections, you must specify custom key identifier values and provide the project numbers that you are planning to establish private connections to VPCs. If you are using the advanced policy, you must pre-specify the regions where you are planning to deploy private clouds.

When you create a service perimeter, you select one or more projects to be protected by the perimeter. Requests between projects within the same perimeter remain unaffected. All existing APIs continue to function as long as the resources involved are within the same service perimeter. Note the IAM roles and policies still apply within a service perimeter.

When a service is protected by a perimeter, requests cannot be made by the service inside the perimeter to any resource outside the perimeter. This includes exporting resources from inside to outside the perimeter. For more information, see Overview in the VPC Service Controls documentation.

The workaround described in this document achieves the security benefits by allowing you to:

  • Consume VMware Engine via the existing UI/API.
  • Keep Internet access disabled from VMware Engine private clouds (once opted in).
  • Only services supporting restricted APIs are permitted from VMware Engine (once opted in).
  • Block private Google Cloud API access from VMware Engine by withdrawing the corresponding route (once opted in).
  • Block new private connections from being created (once opted in).

Opting in to VPC Service Controls

Before you begin

  1. You must turn off Internet access to each private cloud before opting in to VPC Service Controls.
  2. Review and remove each private connection that is not configured with the same perimeter as the project where your VMware Engine service is enabled. VMware Engine does not validate existing private connections.
  3. Create all necessary private connections before opting in.
  4. Review Configuring ingress and egress policies for VPC Service Controls. You will configure new policies when you configure your key identifiers.

Opt in steps

  1. Access the VMware Engine portal.

  2. In the VPC-SC section under your Account, click Opt-in to VPC-SC Control (skip this step if you want to create a new private connection).

    • If you want to create a new private connection, edit the key identifiers and add a project number in the Peer Project Numbers with VPC Connectivity text box, and then select All Rules from either the basic or advanced policy.

  3. In the VPC-SC section, under Key Identifiers, click Basic Policy or Advanced Policy.

    • Basic Policy - The basic policy provides a complete set of rules that permits the VMware Engine service to be deployed in all regions while still remaining compliant and secure.

    • Advanced Policy - The advanced policy provides the strictest levels of rules within the VPC service policy framework. It specifies the finest grained service and method access and provides a breakout of rules if you have deployed VMware Engine in a separate project than the VPCs you are connecting to. The advanced policy restricts VMware Engine connectivity to regions in which VMware Engine is already connected or to regions selected in the key identifiers while editing policy.

  4. [Optional] Under Key Identifiers, click View/Edit Key Identifiers.

    1. Add your project number connected to either an existing private connection or a connection you may add in the future to the Peer Project Numbers with VPC Connectivity text box.

    2. Leave Interconnect Regional Attachments set to Any (deploys private clouds and private connections to all regions), or select Specific List (specifies specific projects).

    3. Leave Service Accounts for Firewall Access set to Any Identity (use when a private cloud is deployed in a new region), or select Specific List to enforce a stricter list of service accounts.

    4. Click Done to finish configuring the project.

  5. Copy the selected policy and follow the steps in Updating ingress and egress policies for a service perimeter to update your VPC Service Perimeter rules via the Google Cloud CLI.

    1. If using the Basic Policy, copy the ruleset.
    2. If using the Advanced Policy, copy the All Rules ruleset. The VPC and VMware Engine rules are displayed to facilitate the review of the ruleset.
    3. The ruleset is composed of an ingress and egress section. Each section is deployed separately.
    4. The gcloud access-context-manager perimeters update command replaces the existing ingress or egress rules. Ensure that all existing rules and the VMware Engine rules are included in the YAML files used to update the perimeter.

Limitations

  • The VMware Engine service cannot be configured as a restricted service in a VPC Service Controls policy and is not fully compliant with VPC Service Controls requirements. However, interim VMware Engine controls provide the same level of controls as offered in VPC Service Controls.
  • The customer is responsible for marking their project in VPC Service Controls mode on the VMware Engine UI. VMware Engine cannot automatically determine this selection based on the VPC Service Controls settings.
  • Private Connections can only be established before VPC Service Controls mode is enabled for the project in VMware Engine. If you want to add Private Connections after enabling VPC Service Controls mode, you must open a support ticket to remove VPC Service Controls mode for the project temporarily.

What's next