Set up a service perimeter by using VPC Service Controls

Learn how to set up a service perimeter using VPC Service Controls in the Google Cloud console.

Before you begin

We recommend that you check whether you have the required Identity and Access Management (IAM) roles for administering VPC Service Controls.

If you do not have the required IAM roles, see Manage access to projects, folders, and organizations for information about how to grant IAM roles.

Set up a VPC Service Controls perimeter

In the following sections, you specify the perimeter details, add projects and services to protect, and create the perimeter.

Add the VPC Service Controls perimeter details

  1. In the Google Cloud console, go to the VPC Service Controls page.

    Go to VPC Service Controls

  2. To create a new perimeter by using the default access policy, select your organization from the project selector menu.

  3. On the VPC Service Controls page, click New Perimeter.

  4. On the New VPC Service Perimeter page, in the Perimeter Name box, type perimeter_storage_services.

  5. In Perimeter Type and Config Type sections, retain the default settings.

Add projects to the perimeter

  1. To add projects to the perimeter, from the New VPC Service Perimeter navigation menu, click Projects.
  2. Click Add Projects.
  3. In the Add Projects dialog, select the projects that you want to add to the perimeter and then click Add Projects.

  4. Click Done.

Secure the BigQuery and Cloud Storage services within the perimeter

  1. From the New VPC Service Perimeter navigation menu, click Restricted services.
  2. Click Add Services.
  3. In the Specify services to restrict dialog, select the checkboxes of the BigQuery and Cloud Storage APIs.

    To locate the services, you can use the filter query.

  4. Click Add 2 Services.

  5. To create the perimeter, from the New VPC Service Perimeter navigation menu, click Create perimeter.

You just created a perimeter! You can see your perimeter listed on the VPC Service Controls page.The perimeter might take up to 30 minutes to propagate and take effect. When the changes have propagated, access to the BigQuery and Cloud Storage services is limited to the projects you added to the perimeter.

Additionally, the Google Cloud console interface for the BigQuery and Cloud Storage services that you protected with the perimeter might become partially or fully inaccessible.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. In the Google Cloud console, go to the VPC Service Controls page.

    Go to VPC Service Controls

  2. On the VPC Service Controls page, in the row corresponding to the perimeter that you created, click Delete.

  3. In the dialog box, click Delete to confirm that you want to delete the perimeter.

What's next