Before you begin
Service perimeter configuration stages
To configure VPC Service Controls:
Secure GCP resources with service perimeters.
Set up private connectivity from a VPC network (optional).
Grant access from outside a service perimeter using access levels (optional).
Create an access policy
An access policy collects the service perimeters and access levels you create for your Organization. An Organization can only have one access policy.
When service perimeters are created and managed using the VPC Service Controls page of the Cloud Console, you do not need to create an access policy.
To learn more about Access Context Manager and access policies, read the overview of Access Context Manager.
Secure GCP resources with service perimeters
Service perimeters are used to protect services used by projects in your Organization. After identifying the projects and services you want to protect, create one or more service perimeters.
To learn more about how service perimeters work and what services VPC Service Controls can be used to secure, read the Overview of VPC Service Controls.
Set up private connectivity from a VPC network
To provide additional security for VPC networks that are protected by a service perimeter, we recommend using Private Google Access. This includes private connectivity from on-premises networks.
To learn about configuring private connectivity, read Setting up private connectivity to Google APIs and services.
Restricting access to Google Cloud resources to only private access from
VPC networks means that access using interfaces such as the Cloud Console
and the Cloud Monitoring console will be denied. You can continue to use
gcloud command-line tool or API clients from VPC networks that share a service perimeter
or perimeter bridge with the restricted resources.
Grant access from outside a service perimeter using access levels
Access levels can be used to allow requests from outside a service perimeter to resources protected by that perimeter.
Using access levels, you can specify public IPv4 and IPv6 CIDR blocks, and individual user and service accounts that you want to permit to access resources protected by VPC Service Controls.
If you are restricting resources using private connectivity from VPC networks, you can re-enable using the Cloud Console to access protected services by adding a CIDR block to an access level that includes the public IP address of the host where the Cloud Console is being used. If you want to re-enable the Cloud Console for a specific user regardless of IP address, add that user account as a member to the access level.
To learn about using access levels, read Creating an access level.
Sharing data across service perimeters
A project can only be included in one service perimeter. If you want to allow communication between two perimeters, create a service perimeter bridge.
Perimeter bridges can be used to enable communication between projects in different service perimeters. A project can belong to more than one perimeter bridge.
To learn more about perimeter bridges, read Sharing across perimeters with bridges.