VPC Service Controls with VMware Engine

To further protect your Google Cloud VMware Engine resources, you can protect them using VPC Service Controls.

VPC Service Controls lets you define a security perimeter for your VMware Engine resources. The service perimeter limits exporting and importing of resources and their associated data to within the defined perimeter. Google recommends creating your service perimeter and adding VMware Engine to the Restricted Services before creating your first Private Cloud.

When you create a service perimeter, you select one or more projects to be protected by the perimeter. Requests between projects within the same perimeter remain unaffected. All existing APIs continue to function as long as the resources involved are within the same service perimeter. Note the IAM roles and policies still apply within a service perimeter.

When a service is protected by a perimeter, requests cannot be made by the service inside the perimeter to any resource outside the perimeter. This includes exporting resources from inside to outside the perimeter. For more information, see Overview in the VPC Service Controls documentation.

In order to ensure VPC Service Controls works for VMware Engine, you must add the VMware Engine service to the Restricted Services within VPC Service Controls.

Limitations

  • When adding existing VMware Engine, Private Clouds, Network Policies, and VPC Peering to a VPC Service Perimeter, Google does not check previously created resources to see if they still comply with the perimeter's policies.

Expected behaviors

  • Creating VPC Peering to a VPC outside of the perimeter will be blocked.
  • Use of VMware Engine workload internet access service will be blocked.
  • Use of External IP address service will be blocked.
  • Only the restricted Google APIs IPs will be available - 199.36.153.4/30.

Add VMware Engine to allowed VPC Service Controls

To add the VMware Engine service to the allowed VPC Service Controls, you can follow these steps in the Google Cloud console:

  1. Go to the VPC Service Controls page.
  2. Click the name of the perimeter that you want to modify.
  3. On the Edit VPC Service Perimeter page, click the Restricted Services tab.
  4. Click Add Services.
  5. In the Specify services to restrict section, check the field for VMware Engine. If not already selected, check the fields for Compute Engine API and Cloud DNS API.
  6. Click Add Services.
  7. Click Save.

What's next