Service perimeter configuration

VPC Service Controls can be configured using the Google Cloud Platform Console, the gcloud command-line tool, and the Access Context Manager APIs.

Before you begin

Service perimeter configuration stages

To configure VPC Service Controls:

  1. If you want to use the gcloud command-line tool or the Access Context Manager APIs to create your service perimeters, create an access policy.

  2. Secure GCP resources with service perimeters.

  3. Set up private connectivity from a VPC network (optional).

  4. Grant access from outside a service perimeter using access levels (optional).

Create an access policy

An access policy collects the service perimeters and access levels you create for your Organization. An Organization can only have one access policy.

When service perimeters are created and managed using the VPC Service Controls page of the GCP Console, you do not need to create an access policy.

However, when using the gcloud command-line tool or the Access Context Manager APIs to create and configure your service perimeters, you must first create an access policy.

To learn more about Access Context Manager and access policies, read the overview of Access Context Manager.

Secure GCP resources with service perimeters

Service perimeters are used to protect services used by projects in your Organization. After identifying the projects and services you want to protect, create one or more service perimeters.

To learn more about how service perimeters work and what services VPC Service Controls can be used to secure, read the Overview of VPC Service Controls.

Some services have limitations with how they can be used with VPC Service Controls. If you encounter issues with your projects after setting up your service perimeters, read Troubleshooting.

Set up private connectivity from a VPC network

To provide additional security for VPC networks that are protected by a service perimeter, we recommend using Private Google Access. This includes private connectivity from on-premises networks.

To learn about configuring private connectivity, read Setting up private connectivity to GCP services from a VPC network.

Restricting access to GCP resources to only private access from VPC networks means that access using interfaces such as the GCP Console and the Stackdriver console will be denied. You can continue to use the gcloud command-line tool or API clients from VPC networks that share a service perimeter or perimeter bridge with the restricted resources.

Grant access from outside a service perimeter using access levels

Access levels can be used to allow requests from outside a service perimeter to resources protected by that perimeter.

Using access levels, you can specify public IPv4 and IPv6 CIDR blocks, and individual user and service accounts that you want to permit to access resources protected by VPC Service Controls.

If you are restricting resources using private connectivity from VPC networks, you can re-enable using the GCP Console to access protected services by adding a CIDR block to an access level that includes the public IP address of the host where the GCP Console is being used. If you want to re-enable the GCP Console for a specific user regardless of IP address, add that user account as a member to the access level.

To learn about using access levels, read Creating an access level.

Sharing data across service perimeters

A project can only be included in one service perimeter. If you want to allow communication between two perimeters, create a service perimeter bridge.

Perimeter bridges can be used to enable communication between projects in different service perimeters. A project can belong to more than one perimeter bridge.

To learn more about perimeter bridges, read Sharing across perimeters with bridges.

Was this page helpful? Let us know how we did:

Send feedback about...

VPC Service Controls