Creating a service perimeter

This page describes how to create a service perimeter.

Before you begin

Creating a service perimeter

This section describes how to create a service perimeter, including how to include projects and protect services.

When you create a service perimeter, you can optionally allow access to protected services from outside the perimeter, and specify what services are accessible to other services and users inside the perimeter. If preferred, you can configure these settings after you create a perimeter.

After you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your Organization. Perimeters cannot be created on the project level.

  3. At the top of the VPC Service Controls page, select a perimeter mode. By default, Enforced Mode is selected. If you want to create a dry run perimeter, click Dry Run Mode.

    Enforced perimeters actively prevent access to protected services. Dry run perimeters log violations of the perimeter as though services were protected, but do not prevent access to those services. For more information about the enforced and dry run modes, read about service perimeters.

  4. Click New Perimeter.

  5. On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.

  6. Select the projects that you want to secure within the perimeter:

    1. Under Projects to protect, click Add Projects.

    2. To add a project to the perimeter, in the Add Projects window, select that project's checkbox.

    3. Click Add n Projects, where n is the number of projects you selected in the previous step.

  7. Select the services that you want to secure within the perimeter:

    1. Under Services to protect, click Add Services.

    2. To secure services within the perimeter, in the Specify services to restrict window, select that service's checkbox.

    3. Click Add n Services, where n is the number of services you selected in the previous step.

  8. (Optional) If you want to define what services are accessible inside a perimeter (for example, from VMs in a VPC network hosted by one of the projects you previously selected):

    1. Under VPC accessible services, click Add VPC Restricted Services. You can only make services accessible if you also protect them using the perimeter.

      You can also add accessible services after a perimeter has been created.

    2. In the Specify services to restrict window, in each row corresponding to a service that you want to make accessible inside your perimeter, select the checkbox.

    3. Click Add n Services, where n is the number of services you selected in the previous step.

  9. (Optional) If you want to allow requests to protected services from outside the perimeter:

    1. Click the Choose Access Level box.

      You can also add access levels after a perimeter has been created.

    2. Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.

  10. Click the Save button.

gcloud

To create a new perimeter, use the create command.

gcloud [beta] access-context-manager perimeters [dry-run] create NAME \
  --title=TITLE \
  --resources=PROJECTS \
  --restricted-services=RESTRICTED-SERVICES \
  [--levels=LEVELS] \
  [--enable-vpc-accessible-services] \
  [--add-vpc-allowed-services=ACCESSIBLE-SERVICES] \
  --policy=POLICY_NAME

Where:

  • beta and dry-run are required only if you want to create the perimeter in dry run mode. For example: gcloud beta access-context-manager perimeters dry-run create ....

  • NAME is the name of the perimeter.

  • TITLE is the human-readable title of the perimeter.

  • PROJECTS is a comma-separated list of one or more project numbers. For example: projects/12345 or projects/12345,projects/67890. Only project numbers are supported. You cannot use the project name or ID.

  • RESTRICTED-SERVICES is a comma-separated list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019. You only need to include the policy name if you haven't set a default access policy.

Additional options:

  • --levels is required only if you want to add access levels when you create the perimeter. LEVELS is a comma-separated list of one or more access levels that you want to apply to the service perimeter.

    You can also add access levels after you create the perimeter.

  • --enable-vpc-accessible-services and --add-vpc-allowed-services are required only if you want to add VPC accessible services when you create the perimeter. ACCESSIBLE-SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access. Access to any services that are not included in this list will be prevented.

    You can only make a service accessible if you also protect it when configuring the perimeter.

    To quickly include all of the services protected by a perimeter, specify RESTRICTED-SERVICES in the list for ACCESSIBLE-SERVICES. For example, --add-vpc-allowed-services=RESTRICTED-SERVICES.

    You can also define VPC accessible services after you create the perimeter.

For example, the following command creates a new perimeter named ProdPerimeter that includes projects example-project and example-project2, and restricts the Cloud Storage and BigQuery APIs.

gcloud access-context-manager perimeters \
  create ProdPerimeter --title="Production Perimeter" \
  --resources=projects/12345,projects/67890 \
  --restricted-services=storage.googleapis.com,bigquery.googleapis.com \
  --policy=330193482019

API

To create a service perimeter, call accessPolicies.servicePerimeters.create.

POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters

Where:

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Request body

The request body must include a ServicePerimeter resource that defines the service perimeter.

For the ServicePerimeter resource, specify PERIMETER_TYPE_REGULAR for perimeterType.

Dry Run Mode

The proposed perimeter must be included as the spec and useExplicitDryRunSpec set to true.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.

What's next