Creating a service perimeter

This page describes how to create a service perimeter.

Before you begin

Creating a service perimeter

This section describes how to create a service perimeter, add projects to the perimeter, and protect services.

When you create a service perimeter, you can optionally allow access to protected services from outside the perimeter, and specify what services are accessible to other services and users inside the perimeter. If preferred, you can configure these settings after you create a perimeter.

After you create a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.

Console

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your organization. Perimeters cannot be created at the project level.

  3. At the top of the VPC Service Controls page, select a perimeter mode. By default, Enforced Mode is selected. If you want to create a dry run perimeter, click Dry Run Mode.

    Enforced perimeters actively prevent access to protected services. Dry run perimeters log violations of the perimeter as though services were protected, but do not prevent access to those services. For more information about the enforced and dry run modes, read about service perimeters.

  4. Click New Perimeter.

  5. On the New VPC Service Perimeter page, in the Perimeter Name box, type a name for the perimeter.

  6. Select the projects that you want to secure within the perimeter:

    1. Under Projects to protect, click Add projects.

    2. To add a project to the perimeter, in the Add projects window, select that project's checkbox.

    3. Click Add projects. A message appears that n projects were added, where n is the number of projects you selected.

    4. Click Done. The added projects appear under Projects to protect.

  7. Select the services that you want to secure within the perimeter:

    1. Under Services to protect, click Add services.

    2. To secure services within the perimeter, in the Specify services to restrict window, select that service's checkbox.

    3. Click Add n services, where n is the number of services you selected in the previous step.

  8. To allow access from an API client outside the service perimeter to resources within a service perimeter, add an ingress rule and specify the rule attributes:

    1. In the left menu, click Ingress policy.

    2. Under Ingress rules, click Add rule.

    3. Designate the required From attributes of the API client and To attributes of GCP resources/services that you want.

      For a list of ingress rule attributes, see Ingress rules reference.

  9. To allow access that involves an API client or resources within the service perimeter to resources outside a service perimeter, add an egress rule and specify the rule attributes:

    1. In the left menu, click Egress policy.

    2. Under Egress rules, click Add rule.

    3. Designate the required From attributes of the API client and To attributes of GCP resources/services that you want.

      For a list of egress rule attributes, see Egress rules reference.

  10. Optional: If you want to define what services are accessible inside a perimeter (for example, from VMs in a VPC network hosted by one of the projects you previously selected), perform the following steps:

    1. Under VPC accessible services, select Selected services.

      To quickly include the restricted services protected by the perimeter to the list of accessible services, select Include all restricted services. This option lets you include separate services in addition to restricted services.

    2. Click Add VPC accessible services.

      You can also add accessible services after a perimeter has been created.

    3. In the Specify accessible services page, select the service that you want to make accessible inside your perimeter.

    4. Click Add n services, where n is the number of services you selected in the previous step.

  11. Optional: If you want to allow requests to protected services from outside the perimeter, perform the following steps:

    1. Click the Choose Access Level box.

      You can also add access levels after a perimeter has been created.

    2. Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.

  12. Click Create perimeter.

gcloud

To create a new perimeter, use the create command.

gcloud [beta] access-context-manager perimeters [dry-run] create NAME \
  --title=TITLE \
  --resources=PROJECTS \
  --restricted-services=RESTRICTED-SERVICES \
  --ingress-policies=INGRESS-FILENAME.yaml \
  --egress-policies=EGRESS-FILENAME.yaml \
[--levels=LEVELS] \
  [--enable-vpc-accessible-services] \
  [--vpc-allowed-services=ACCESSIBLE-SERVICES] \
  --policy=POLICY_NAME

Replace the following:

  • beta and dry-run are required only if you want to create the perimeter in dry run mode. For example: gcloud beta access-context-manager perimeters dry-run create ....

  • NAME is the name of the perimeter.

  • TITLE is the human-readable title of the perimeter.

  • PROJECTS is a comma-separated list of one or more project numbers. For example: projects/12345 or projects/12345,projects/67890. Only project numbers are supported. You cannot use the project name or ID.

  • RESTRICTED-SERVICES is a comma-separated list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • INGRESS-FILENAME is a JSON or YAML file that contains the values of source, identity, project, and service attributes. For a list of ingress rule attributes, see Ingress rules reference.

  • EGRESS-FILENAME is a JSON or YAML file that contains the values of identity, project, and service attributes. For a list of egress rule attributes, see Egress rules reference.

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019. You only need to include the policy name if you haven't set a default access policy.

Additional options:

  • --levels is required only if you want to add access levels when you create the perimeter. LEVELS is a comma-separated list of one or more access levels that you want to apply to the service perimeter.

    You can also add access levels after you create the perimeter.

  • --enable-vpc-accessible-services and --add-vpc-allowed-services are required only if you want to add VPC accessible services when you create the perimeter. ACCESSIBLE-SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access. Access to any services that are not included in this list are prevented.

    You can only make a service accessible if you also protect it when configuring the perimeter.

    To quickly include all the services protected by a perimeter, specify RESTRICTED-SERVICES in the list for ACCESSIBLE-SERVICES. For example, --add-vpc-allowed-services=RESTRICTED-SERVICES.

    You can also define VPC accessible services after you create the perimeter.

For example, the following command creates a new perimeter named ProdPerimeter that includes projects example-project and example-project2, and restricts the Cloud Storage and BigQuery APIs.

gcloud access-context-manager perimeters \
  create ProdPerimeter --title="Production Perimeter" \
  --resources=projects/12345,projects/67890 \
  --restricted-services=storage.googleapis.com,bigquery.googleapis.com \
  --ingress-policies=ingress.yaml \
  --egress-policies=egress.yaml \
  --policy=330193482019

API

To create a service perimeter, call accessPolicies.servicePerimeters.create.

POST https://accesscontextmanager.googleapis.com/v1/accessPolicies/POLICY_NAME/servicePerimeters

Where:

  • POLICY_NAME is the numeric name of your organization's access policy. For example, 330193482019.

Request body

The request body must include a ServicePerimeter resource that defines the service perimeter.

For the ServicePerimeter resource, specify PERIMETER_TYPE_REGULAR for perimeterType.

Dry Run Mode

The proposed perimeter must be included as the spec and useExplicitDryRunSpec set to true.

Response body

If successful, the response body for the call contains an Operation resource that provides details about the POST operation.

What's next