This page describes how to create service perimeter bridges.
Before you begin
- Read Overview of VPC Service Controls
- Read Service Perimeter Configuration
- Read Sharing across perimeters with bridges
Create a perimeter bridge
Console
To create a perimeter bridge:
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your Organization.
At the top of the VPC Service Controls page, click New Perimeter.
On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.
You can only search for a perimeter using its name, so we recommend using a unique name for the perimeter. You can't search for a perimeter using its ID.
Under Perimeter Type, select Perimeter Bridge.
Select the projects that you want to secure within the perimeter:
Click the Add Projects button.
In the Add projects window, in each row corresponding to a project that you want add to the perimeter, select the checkbox.
Click the Add n Projects button, where n is the number of projects you selected in the previous step.
Click the Save button.
gcloud
To create a perimeter bridge, use the following command:
gcloud access-context-manager perimeters create BRIDGE_NAME \ --title="BRIDGE_TITLE" --perimeter-type=bridge \ --resources=PROJECTS \ --policy=POLICY_NAME
Where:
BRIDGE_NAME is the name of the perimeter bridge you are creating.
BRIDGE_TITLE is the title of the bridge.
PROJECTS is a comma-delimited list of one or more project IDs. For example:
projects/100712
orprojects/100712,projects/233130
. Only numeric IDs are supported. You cannot use the project name.POLICY_NAME is the numeric name of your organization's access policy. For example,
330193482019
.
API
To create a perimeter bridge, call accessPolicies.servicePerimeters.create
.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters
Where:
- POLICY_NAME is the numeric name of your organization's access
policy. For example,
330193482019
.
Request body
The request body must include a ServicePerimeter
resource that defines the perimeter bridge.
For the ServicePerimeter
resource, specify PERIMETER_TYPE_BRIDGE
for
perimeterType
.
Response body
If successful, the response body for the call contains an
Operation
resource that provides details about the
POST
operation.