Creating a service perimeter

This page describes how to create a service perimeter.

Before you begin

Creating a service perimeter

This section describes how to create a service perimeter that does not allow external access to services protected by the perimeter. If you want to create a service perimeter that permits limited external access, refer to Enabling controlled access when creating a perimeter.

After you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your Organization.

  3. At the top of the VPC Service Controls page, click New Perimeter.

  4. On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.

  5. Select the projects that you want to secure within the perimeter:

    1. Click the Add Projects button.

    2. In the Add Projects window, in each row corresponding to a project that you want add to the perimeter, select the checkbox.

    3. Click the Add n Projects button, where n is the number of projects you selected in the previous step.

  6. Select the services that you want to secure within the perimeter:

    1. Click the Add Services button.

    2. In the Specify services to restrict window, in each row corresponding to a service that you want to protect, select the checkbox.

    3. Click the Add n Services button, where n is the number of services you selected in the previous step.

  7. Click the Save button.

gcloud

To create a new perimeter, use the create command.

gcloud access-context-manager perimeters \
  create NAME --title=TITLE \
  --resources=PROJECTS \
  --restricted-services=SERVICES \
  --policy=POLICY_NAME

Where:

  • NAME is the name of the perimeter.

  • TITLE is the human-readable title of the perimeter.

  • PROJECTS is a comma-delimited list of one or more project IDs. For example: projects/12345 or projects/12345,projects/67890. Only numeric IDs are supported. You cannot use the project name.

  • SERVICES is a comma-delimited list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

For example, the command below creates a new perimeter named ProdPerimeter that includes projects example-project and example-project2, and restricts the Cloud Storage and BigQuery APIs.

gcloud access-context-manager perimeters \
  create ProdPerimeter --title="Production Perimeter" \
  --resources=projects/12345,projects/67890 \
  --restricted-services=storage.googleapis.com,bigquery.googleapis.com \
  --policy=330193482019

API

To create a service perimeter, call accessPolicies.servicePerimeters.create.

POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters

Where:

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Request body

The request body must include a ServicePerimeter resource that defines the service perimeter.

For the ServicePerimeter resource, specify PERIMETER_TYPE_REGULAR for perimeterType.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.

Enabling controlled access when creating a perimeter

You can also apply one or more access levels when creating a new perimeter. If preferred, access levels can also be added after a service perimeter is created.

After you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Before you begin

Identify or create access levels that you want to apply to your service perimeters.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your Organization.

  3. At the top of the VPC Service Controls page, click New Perimeter.

  4. On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.

  5. Select the projects that you want to secure within the perimeter:

    1. Click the Add Projects button.

    2. In the Add Projects window, in each row corresponding to a project that you want add to the perimeter, select the checkbox.

    3. Click the Add n Projects button, where n is the number of projects you selected in the previous step.

      Add projects UI

  6. Select the services that you want to secure within the perimeter:

    1. Click the Add Services button.

    2. In the Specify services to restrict window, in each row corresponding to a service that you want to protect, select the checkbox.

    3. Click the Add n Services button, where n is the number of services you selected in the previous step.

      Restrict services UI

  7. Click the Choose Access Level box.

  8. Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.

  9. Click the Save button.

gcloud

To apply access levels when you create a service perimeter, use the create command:

gcloud access-context-manager perimeters \
  create NAME --title=TITLE \
  --resources=PROJECTS \
  --restricted-services=SERVICES \
  --access-levels=LEVELS
  --policy=POLICY_NAME

Where:

  • NAME is the name of the perimeter.

  • TITLE is the human-readable title of the perimeter.

  • PROJECTS is a comma-delimited list of one or more project IDs. For example: projects/12345 or projects/12345,projects/67890. Only numeric IDs are supported. You cannot use the project name.

  • SERVICES is a comma-delimited list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • LEVELS is a comma-delimited list of one or more access levels that you want to apply to the service perimeter.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

What's next