Creating a perimeter bridge

This page describes how to create service perimeter bridges.

Before you begin

Create a perimeter bridge

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your organization.

  3. On the VPC Service Controls page, click New perimeter.

  4. On the Create a service perimeter page, in the Title field, enter a name for the perimeter.

    You can search for a perimeter only using its name, so we recommend using a unique name for the perimeter. You can't search for a perimeter using its ID.

  5. Optional: In the Description field, enter a description for the perimeter.

  6. For Perimeter type, select Bridge.

  7. For Enforcement mode, select a perimeter enforcement mode. The available options are Dry run and Enforced.

    For more information about the dry run and enforced modes, see Service perimeter details and configuration.

  8. Click Continue.

  9. Select the projects that you want to secure within the perimeter:

    1. Click Add projects.

    2. In the Add projects pane, in each row corresponding to a project that you want to add to the perimeter, select the checkbox.

    3. Click Add selected projects.

  10. Click Create.

gcloud

To create a perimeter bridge, use the following command:

gcloud access-context-manager perimeters create BRIDGE_NAME \
  --title="BRIDGE_TITLE" --perimeter-type=bridge \
  --resources=PROJECTS \
  --policy=POLICY_NAME

Where:

  • BRIDGE_NAME is the name of the perimeter bridge you are creating.

  • BRIDGE_TITLE is the title of the bridge.

  • PROJECTS is a comma-delimited list of one or more project IDs. For example: projects/100712 or projects/100712,projects/233130. Only numeric IDs are supported. You cannot use the project name.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

API

To create a perimeter bridge, call accessPolicies.servicePerimeters.create.

POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters

Where:

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Request body

The request body must include a ServicePerimeter resource that defines the perimeter bridge.

For the ServicePerimeter resource, specify PERIMETER_TYPE_BRIDGE for perimeterType.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.