This page describes how to create a service perimeter.
Before you begin
Read the Overview of VPC Service Controls
Read about configuring service perimeters
Read about granting access to VPC Service Controls
If you want to configure external access to your protected services when you create your perimeter, create one or more access levels before you create the perimeter.
Creating a service perimeter
This section describes how to create a service perimeter, including how to include projects and protect services.
When you create a service perimeter, you can optionally allow access to protected services from outside the perimeter, and specify what services are accessible to other services and users inside the perimeter. If preferred, you can configure these settings after you create a perimeter.
After you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.
Console
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your Organization. Perimeters cannot be created on the project level.
At the top of the VPC Service Controls page, select a perimeter mode. By default, Enforced Mode is selected. If you want to create a dry run perimeter, click Dry Run Mode.
Enforced perimeters actively prevent access to protected services. Dry run perimeters log violations of the perimeter as though services were protected, but do not prevent access to those services. For more information about the enforced and dry run modes, read about service perimeters.
Click New Perimeter.
On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.
Select the projects that you want to secure within the perimeter:
Under Projects to protect, click Add Projects.
To add a project to the perimeter, in the Add Projects window, select that project's checkbox.
Click Add n Projects, where n is the number of projects you selected in the previous step.
Select the services that you want to secure within the perimeter:
Under Services to protect, click Add Services.
To secure services within the perimeter, in the Specify services to restrict window, select that service's checkbox.
Click Add n Services, where n is the number of services you selected in the previous step.
(Optional) If you want to define what services are accessible inside a perimeter (for example, from VMs in a VPC network hosted by one of the projects you previously selected):
Under VPC accessible services, click Add VPC Restricted Services. You can only make services accessible if you also protect them using the perimeter.
You can also add accessible services after a perimeter has been created.
In the Specify services to restrict window, in each row corresponding to a service that you want to make accessible inside your perimeter, select the checkbox.
Click Add n Services, where n is the number of services you selected in the previous step.
(Optional) If you want to allow requests to protected services from outside the perimeter:
Click the Choose Access Level box.
You can also add access levels after a perimeter has been created.
Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.
Click the Save button.
gcloud
To create a new perimeter, use the create
command.
gcloud [beta] access-context-manager perimeters [dry-run] create NAME \ --title=TITLE \ --resources=PROJECTS \ --restricted-services=RESTRICTED-SERVICES \ [--levels=LEVELS] \ [--enable-vpc-accessible-services] \ [--add-vpc-allowed-services=ACCESSIBLE-SERVICES] \ --policy=POLICY_NAME
Where:
beta
anddry-run
are required only if you want to create the perimeter in dry run mode. For example:gcloud beta access-context-manager perimeters dry-run create ...
.NAME is the name of the perimeter.
TITLE is the human-readable title of the perimeter.
PROJECTS is a comma-separated list of one or more project numbers. For example:
projects/12345
orprojects/12345,projects/67890
. Only project numbers are supported. You cannot use the project name or ID.RESTRICTED-SERVICES is a comma-separated list of one or more services. For example:
storage.googleapis.com
orstorage.googleapis.com,bigquery.googleapis.com
.POLICY_NAME is the numeric name of your organization's access policy. For example,
330193482019
. You only need to include the policy name if you haven't set a default access policy.
Additional options:
--levels
is required only if you want to add access levels when you create the perimeter. LEVELS is a comma-separated list of one or more access levels that you want to apply to the service perimeter.You can also add access levels after you create the perimeter.
--enable-vpc-accessible-services
and--add-vpc-allowed-services
are required only if you want to add VPC accessible services when you create the perimeter. ACCESSIBLE-SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access. Access to any services that are not included in this list will be prevented.You can only make a service accessible if you also protect it when configuring the perimeter.
To quickly include all of the services protected by a perimeter, specify
RESTRICTED-SERVICES
in the list for ACCESSIBLE-SERVICES. For example,--add-vpc-allowed-services=RESTRICTED-SERVICES
.You can also define VPC accessible services after you create the perimeter.
For example, the following command creates a new perimeter named
ProdPerimeter
that includes projects example-project
and
example-project2
, and restricts the Cloud Storage and
BigQuery APIs.
gcloud access-context-manager perimeters \ create ProdPerimeter --title="Production Perimeter" \ --resources=projects/12345,projects/67890 \ --restricted-services=storage.googleapis.com,bigquery.googleapis.com \ --policy=330193482019
API
To create a service perimeter, call
accessPolicies.servicePerimeters.create
.
POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters
Where:
- POLICY_NAME is the numeric name of your organization's access
policy. For example,
330193482019
.
Request body
The request body must include a ServicePerimeter
resource that defines the service perimeter.
For the ServicePerimeter
resource, specify PERIMETER_TYPE_REGULAR
for
perimeterType
.
Dry Run Mode
The proposed perimeter must be included as the spec
and
useExplicitDryRunSpec
set to true.
Response body
If successful, the response body for the call contains an
Operation
resource that provides details about the
POST
operation.
What's next
- Learn how to manage existing security perimeters.