This page describes how you can manage service perimeters in VPC Service Controls. For details on creating new service perimeters, see Creating Service Perimeters.
This page includes the following sections:
Before you begin
Set your default access policy for using the
gcloud
command-line tool.-or-
Get the name of your policy. The policy name is required for commands using the
gcloud
command-line tool and making API calls. If you set a default access policy, you do not need to specify the policy for thegcloud
command-line tool.
List and describe service perimeters
List all service perimeters in an Organization:
Console
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to view.
gcloud
To list your organization's service perimeters, use the list
command:
gcloud access-context-manager perimeters list \
[--policy=POLICY_NAME]
Where:
- POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
You should see a list of the perimeters for your organization. For example:
NAME TITLE ProdPerimeter Production Perimeter
To view details about a service perimeter, use the describe
command:
gcloud access-context-manager perimeters \
describe PERIMETER_NAME \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
You should see the details about the perimeter. For example:
accessLevels: - accessPolicies/626111171578/accessLevels/corpAccess resources: - projects/111584792408 restrictedServices: - bigquery.googleapis.com - storage.googleapis.com title: Production Perimeter
List service perimeters (formatted)
Using the gcloud
command-line tool, you can obtain a list of your service perimeters in YAML or
JSON format.
To get a formatted list of perimeters, use the list
command.
gcloud access-context-manager perimeters list \ --format=FORMAT \ [--policy=POLICY_NAME]
Where:
FORMAT is one of the following values:
list
(YAML format)json
(JSON format)
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
The YAML output will look something like:
- name: accessPolicies/165717541651/servicePerimeters/On_Prem status: {'resources': ['projects/167410821371'], 'restrictedServices': ['bigquery.googleapis.com', 'storage.googleapis.com']} title: On Prem - name: accessPolicies/165717541651/servicePerimeters/Private spec: {'resources': ['projects/136109111311'], 'restrictedServices': ['bigquery.googleapis.com', 'storage.googleapis.com', 'logging.googleapis.com']} status: {'resources': ['projects/136109111311', 'projects/401921913171'], 'restrictedServices': ['bigquery.googleapis.com']} title: Private useExplicitDryRunSpec: True - name: accessPolicies/165717541651/servicePerimeters/OnpremBridge perimeterType: PERIMETER_TYPE_BRIDGE status: {'resources': ['projects/167410821371']} title: OnpremBridge
The JSON output will look something like:
[ { "name": "accessPolicies/165717541651/servicePerimeters/On_Prem", "status": { "resources": [ "projects/167410821371" ], "restrictedServices": [ "bigquery.googleapis.com", "storage.googleapis.com" ] }, "title": "On Prem" }, { "name": "accessPolicies/165717541651/servicePerimeters/Private", "spec": { "resources": [ "projects/136109111311" ], "restrictedServices": [ "bigquery.googleapis.com", "storage.googleapis.com", "logging.googleapis.com" ] }, "status": { "resources": [ "projects/136109111311", "projects/401921913171" ], "restrictedServices": [ "bigquery.googleapis.com" ] }, "title": "Private", "useExplicitDryRunSpec": true }, { "name": "accessPolicies/165717541651/servicePerimeters/OnpremBridge", "perimeterType": "PERIMETER_TYPE_BRIDGE", "status": { "resources": [ "projects/167410821371" ] }, "title": "OnpremBridge" } ]
Updating a service perimeter
You can add new Google Cloud projects to, or remove projects from a service perimeter. You can change the list of restricted Google Cloud services. You can also change the Title and Description for a service perimeter. To do so, you need to provide the full list of resources.
This section describes how to update individual service perimeters. To update all of your organization's service perimeters in one operation, see Making bulk changes to service perimeters.
After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.
Console
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
On the Edit VPC Service Perimeter page, update the service perimeter.
Click Save.
gcloud
To add new projects to a perimeter, use the update
command and specify the
resources to add:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--add-resources=PROJECTS \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
PROJECTS is a comma-delimited list of one or more project IDs. For example:
projects/100712
orprojects/100712,projects/233130
.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
To update the list of restricted services, use the update
command and
specify the services to add as a comma-delimited list:
gcloud access-context-manager perimeters update PERIMETER_ID \
--add-restricted-services=SERVICES \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of the service perimeter that you want to obtain details about.
SERVICES is a comma-delimited list of one or more services. For example:
storage.googleapis.com
orstorage.googleapis.com,bigquery.googleapis.com
.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
Adding an access level to an existing perimeter
Once you have created an access level, you can apply it to a service perimeter to control access.
After you update a service perimeter, it may take up to 30 minutes for the changes to propagate and take effect.
Console
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
On the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
On the Edit VPC Service Perimeter page, click the Choose Access Level box.
Select the checkboxes corresponding to the access levels that you want to apply to the service perimeter.
Click Save.
gcloud
To add an access level to an existing service perimeter, use the
update
command:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--add-access-levels=LEVEL_NAME \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
LEVEL_NAME is the name of the access level that you want to add to the perimeter.
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
Deleting a service perimeter
When you delete a service perimeter, the security controls associated with the perimeter no longer apply to the associated Google Cloud projects. There isn't any other impact to the member Google Cloud projects or associated resources.
Console
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
On the VPC Service Controls page, in the table row for the perimeter that you want to delete, click the
button.
gcloud
To delete a service perimeter, use the delete
command:
gcloud access-context-manager perimeters delete PERIMETER_NAME \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
Limit access to services inside a perimeter with VPC accessible services
This section describes how to enable, add, remove, and disable VPC accessible services.
The VPC accessible services feature is used to limit the set of services that are accessible from network endpoints inside your service perimeter. VPC accessible services can be added to service perimeters only, not to perimeter bridges.
To learn more about the VPC accessible services feature, read about VPC accessible services.
Enable VPC accessible services
To enable VPC accessible services for your service perimeter, use the following command:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--enable-vpc-accessible-services \
--add-vpc-allowed-services=SERVICES \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access. Access to any services that are not included in this list will be prevented.
To quickly include the services protected by the perimeter, add
RESTRICTED-SERVICES
to the list for SERVICES. You can include other services in addition toRESTRICTED-SERVICES
.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
For example, if you wanted the VPC networks in your perimeter to only have access to the Logging and Cloud Storage services, you would use the following command:
gcloud access-context-manager perimeters update example_perimeter \
--enable-vpc-accessible-services \
--add-vpc-allowed-services=RESTRICTED-SERVICES,logging.googleapis.com,storage.googleapis.com \
--policy=11271009391
Add a service to the VPC accessible services
To add additional services to the VPC accessible services for your perimeter, use the following command:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--add-vpc-allowed-services=SERVICES \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
SERVICES is a comma-separated list of one or more services that you want to allow networks inside your perimeter to access.
To quickly include the services protected by the perimeter, add
RESTRICTED-SERVICES
to the list for SERVICES. You can include separate services in addition toRESTRICTED-SERVICES
.POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
For example, if you had already enabled VPC accessible services and wanted the VPC networks in your perimeter to also have access to the Pub/Sub service, you would use the following command:
gcloud access-context-manager perimeters update example_perimeter \
--add-vpc-allowed-services=RESTRICTED-SERVICES,pubsub.googleapis.com \
--policy=11271009391
Remove a service from the VPC accessible services
To remove services from the VPC accessible services for your service perimeter, use the following command:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--remove-vpc-allowed-services=SERVICES \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
SERVICES is a comma-separated list of one or more services that you want to remove from the list of services that networks inside your service perimeter are permitted to access.
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
For example, if you had already enabled VPC accessible services and you no longer wanted the VPC networks in your perimeter to have access to the Cloud Storage service, you would use the following command:
gcloud access-context-manager perimeters update example_perimeter \
--remove-vpc-allowed-services=storage.googleapis.com \
--policy=11271009391
Disable VPC accessible services
To disable VPC service restrictions for your service perimeter, use the following command:
gcloud access-context-manager perimeters update PERIMETER_NAME \
--no-enable-vpc-accessible-services \
--clear-vpc-allowed-services \
[--policy=POLICY_NAME]
Where:
PERIMETER_NAME is the name of your service perimeter.
POLICY_NAME is the name of your organization's access policy. This value is required only if you haven't set a default access policy.
For example, to disable VPC service restrictions for example_perimeter
, you
would use the following command:
gcloud access-context-manager perimeters update example_perimeter \
--no-enable-vpc-accessible-services \
--clear-vpc-allowed-services \
--policy=11271009391
VPC accessible services and the Access Context Manager API
The Access Context Manager API can also be used to manage VPC accessible services.
When creating or modifying a service perimeter, use the
ServicePerimeterConfig
object in the response body to
configure your VPC accessible services.