Private connectivity from on-premises

VPC Service Controls can be combined with Private Google Access for on-premises networks to extend service perimeters to on-premises.

For your on-premises applications to reach restricted Google API services, requests to Google APIs must be sent through a private connection with GCP, whether that is a route-based VPN or a Cloud Interconnect connection.

You can use either static routing, by simply configuring a static route in the on-premises router, or by announcing the restricted Google API address range through border gateway protocol (BGP) from Cloud Router.

To use Private Google Access for on-premises hosts with VPC Service Controls, configure Private Google Access for on-premises hosts and then configure VPC Service Controls. Define a service perimeter for the project that contains the VPC network that's connected to your on-premises network.

Example

In the following scenario, on-premises hosts can access Cloud Storage APIs by using Private Google Access. However, hosts can only access storage buckets in the project sensitive-buckets because of a VPC Service Controls service perimeter. The project sensitive-buckets can only be accessed from VM instances in the hybrid-VPC VPC network and from connected on-premises applications.

  • The on-premises DNS configuration maps *.googleapis.com requests to restricted.googleapis.com, which resolves to the 199.36.153.4/30.
  • Cloud Router advertises the 199.36.153.4/30 IP address range through the VPN tunnel. Traffic going to Google APIs is routed through the tunnel to the VPC network.
  • The VPC network includes a route that directs traffic with the destination 199.36.153.4/30 to the default-internet-gateway as the next hop. Even though default-internet-gateway is used as the next hop, traffic is routed privately through Google's network to the appropriate API or service.
  • The VPC network is authorized to access the sensitive-buckets projects, and on-premises hosts have the same access.
  • On-premises hosts can't access other resources that are outside of the service perimeter.

The project that connects to your on-premises network must be a member of the service perimeter to reach restricted resources.

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

VPC Service Controls