Manage service perimeters

This page describes how you can manage service perimeters in VPC Service Controls. For details on creating new service perimeters, see Creating service perimeters.

This page includes the following sections:

Before you begin

List and describe service perimeters

List all service perimeters in an organization:

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to view.

gcloud

To list your organization's service perimeters, use the list command:

gcloud access-context-manager perimeters list \
  [--policy=POLICY_ID]

Replace the following:

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

You should see a list of the perimeters for your organization. For example:

NAME           TITLE
ProdPerimeter  Production Perimeter

To view details about a service perimeter, use the describe command:

gcloud access-context-manager perimeters \
  describe PERIMETER_ID \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of the service perimeter that you want to obtain details about.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

You should see the details about the perimeter. For example:

accessLevels:
- accessPolicies/626111171578/accessLevels/corpAccess
resources:
- projects/111584792408
restrictedServices:
- bigquery.googleapis.com
- storage.googleapis.com
title: Production Perimeter

List service perimeters (formatted)

Using the gcloud command-line tool, you can obtain a list of your service perimeters in YAML or JSON format.

To get a formatted list of perimeters, use the list command.

gcloud access-context-manager perimeters list \
  --format=FORMAT \
  [--policy=POLICY_ID]

Replace the following:

  • FORMAT is one of the following values:

    • list (YAML format)

    • json (JSON format)

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

The following output is an example list in YAML format:

- name: accessPolicies/165717541651/servicePerimeters/On_Prem
  status: {'resources': ['projects/167410821371'], 'restrictedServices': ['bigquery.googleapis.com', 'storage.googleapis.com']}
  title: On Prem
- name: accessPolicies/165717541651/servicePerimeters/Private
  spec: {'resources': ['projects/136109111311'], 'restrictedServices': ['bigquery.googleapis.com', 'storage.googleapis.com', 'logging.googleapis.com']}
  status: {'resources': ['projects/136109111311', 'projects/401921913171'], 'restrictedServices': ['bigquery.googleapis.com']}
  title: Private
  useExplicitDryRunSpec: True
- name: accessPolicies/165717541651/servicePerimeters/OnpremBridge
  perimeterType: PERIMETER_TYPE_BRIDGE
  status: {'resources': ['projects/167410821371']}
  title: OnpremBridge

The following output is an example list in JSON format:

[
  {
    "name": "accessPolicies/165717541651/servicePerimeters/On_Prem",
    "status": {
      "resources": [
        "projects/167410821371"
      ],
      "restrictedServices": [
        "bigquery.googleapis.com",
        "storage.googleapis.com"
      ]
    },
    "title": "On Prem"
  },
  {
    "name": "accessPolicies/165717541651/servicePerimeters/Private",
    "spec": {
      "resources": [
        "projects/136109111311"
      ],
      "restrictedServices": [
        "bigquery.googleapis.com",
        "storage.googleapis.com",
        "logging.googleapis.com"
      ]
    },
    "status": {
      "resources": [
        "projects/136109111311",
        "projects/401921913171"
      ],
      "restrictedServices": [
        "bigquery.googleapis.com"
      ]
    },
    "title": "Private",
    "useExplicitDryRunSpec": true
  },
  {
    "name": "accessPolicies/165717541651/servicePerimeters/OnpremBridge",
    "perimeterType": "PERIMETER_TYPE_BRIDGE",
    "status": {
      "resources": [
        "projects/167410821371"
      ]
    },
    "title": "OnpremBridge"
  }
]

Update a service perimeter

This section describes how to update individual service perimeters. To update all of your organization's service perimeters in one operation, see Making bulk changes to service perimeters.

You can perform the following tasks to update a service perimeter:

After you update a service perimeter, it can take up to 30 minutes for the changes to propagate and take effect. During this time, the perimeter might block requests with the following error message: Error 403: Request is prohibited by organization's policy.

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.

  3. On the Edit VPC Service Perimeter page, update the service perimeter.

  4. Click Save.

gcloud

To add new resources to a perimeter, use the update command and specify the resources to add:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --add-resources=RESOURCES \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of the service perimeter that you want to obtain details about.

  • RESOURCES is a comma-separated list of one or more project numbers or VPC network names. For example: projects/12345 or //compute.googleapis.com/projects/my-project/global/networks/vpc1. Only projects and VPC networks are allowed. Project format: projects/project_number. VPC format: //compute.googleapis.com/projects/project-id/global/networks/network_name.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

To update the list of restricted services, use the update command and specify the services to add as a comma-delimited list:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --add-restricted-services=SERVICES \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of the service perimeter that you want to obtain details about.

  • SERVICES is a comma-delimited list of one or more services. For example: storage.googleapis.com or storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

Add an access level to an existing perimeter

Once you have created an access level, you can apply it to a service perimeter to control access.

After you update a service perimeter, it can take up to 30 minutes for the changes to propagate and take effect. During this time, the perimeter might block requests with the following error message: Error 403: Request is prohibited by organization's policy.

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.

  3. On the Edit VPC Service Perimeter page, click the Choose Access Level box.

  4. Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.

  5. Click Save.

gcloud

To add an access level to an existing service perimeter, use the update command:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --add-access-levels=LEVEL_NAME \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • LEVEL_NAME is the name of the access level that you want to add to the perimeter.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

Delete a service perimeter

When you delete a service perimeter, the security controls associated with the perimeter no longer apply to the associated Google Cloud projects. There isn't any other impact to the member Google Cloud projects or associated resources.

Console

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. On the VPC Service Controls page, in the table row corresponding to the perimeter that you want to delete, click .

gcloud

To delete a service perimeter, use the delete command:

gcloud access-context-manager perimeters delete PERIMETER_ID \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

Limit access to services inside a perimeter with VPC accessible services

This section describes how to enable, add, remove, and disable VPC accessible services.

You can use the VPC accessible services feature to limit the set of services that are accessible from network endpoints inside your service perimeter. You can add VPC accessible services to service perimeters but not to perimeter bridges.

To learn more about the VPC accessible services feature, read about VPC accessible services.

Enable VPC accessible services

To enable VPC accessible services for your service perimeter, use the following command:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --enable-vpc-accessible-services \
  --add-vpc-allowed-services=SERVICES \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access. Access to any services that are not included in this list are prevented.

    To quickly include the services protected by the perimeter, add RESTRICTED-SERVICES to the list for SERVICES. You can include other services in addition to RESTRICTED-SERVICES.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

For example, to ensure that the VPC networks in your perimeter have access only to the Logging and Cloud Storage services, use the following command:

gcloud access-context-manager perimeters update example_perimeter \
  --enable-vpc-accessible-services \
  --add-vpc-allowed-services=RESTRICTED-SERVICES,logging.googleapis.com,storage.googleapis.com \
  --policy=11271009391

Add a service to the VPC accessible services

To add additional services to the VPC accessible services for your perimeter, use the following command:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --add-vpc-allowed-services=SERVICES \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access.

    To quickly include the services protected by the perimeter, add RESTRICTED-SERVICES to the list for SERVICES. You can include separate services in addition to RESTRICTED-SERVICES.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

For example, if you enable VPC accessible services and require that the VPC networks in your perimeter have access to the Pub/Sub service, use the following command:

gcloud access-context-manager perimeters update example_perimeter \
  --add-vpc-allowed-services=RESTRICTED-SERVICES,pubsub.googleapis.com \
  --policy=11271009391

Remove a service from the VPC accessible services

To remove services from the VPC accessible services for your service perimeter, use the following command:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --remove-vpc-allowed-services=SERVICES \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • SERVICES is a comma-separated list of one or more services that you want to remove from the list of services that networks inside your service perimeter are permitted to access.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

For example, if you enable VPC accessible services and you no longer want the VPC networks in your perimeter to have access to the Cloud Storage service, use the following command:

gcloud access-context-manager perimeters update example_perimeter \
  --remove-vpc-allowed-services=storage.googleapis.com \
  --policy=11271009391

Disable VPC accessible services

To disable VPC service restrictions for your service perimeter, use the following command:

gcloud access-context-manager perimeters update PERIMETER_ID \
  --no-enable-vpc-accessible-services \
  --clear-vpc-allowed-services \
  [--policy=POLICY_ID]

Replace the following:

  • PERIMETER_ID is the ID of your service perimeter.

  • POLICY_ID is the ID of your organization's access policy. This value is required only if you haven't set a default access policy.

For example, to disable VPC service restrictions for example_perimeter, use the following command:

gcloud access-context-manager perimeters update example_perimeter \
  --no-enable-vpc-accessible-services \
  --clear-vpc-allowed-services \
  --policy=11271009391

VPC accessible services and the Access Context Manager API

You can also use the Access Context Manager API to manage VPC accessible services. When you create or modify a service perimeter, use the ServicePerimeterConfig object in the response body to configure your VPC accessible services.