Service perimeter details and configuration

This page describes service perimeters and includes the high-level steps for configuring perimeters.

About service perimeters

This section provides details about the way service perimeters function, and the differences between enforced and dry run perimeters.

You can specify service perimeters at an organization level to protect Google Cloud services in your projects and mitigate the risk of data exfiltration. For more information about the benefits of service perimeters, see Overview of VPC Service Controls.

Also, the services that are accessible inside a perimeter, such as from VMs in a VPC network that is hosted inside a perimeter, can be restricted using the VPC accessible services feature.

You can configure VPC Service Controls perimeters in enforced or dry run mode. The same configuration steps apply to both enforced and dry run perimeters. The difference is that dry run perimeters do not prevent access to restricted services, only log violations as though the perimeters were enforced.

Enforced mode

Enforced mode is the default mode for service perimeters. When a service perimeter is enforced, requests that violate the perimeter policy, such as requests to restricted services from outside a perimeter, are denied.

A perimeter in enforced mode protects Google Cloud resources by enforcing the perimeter boundary for the services restricted in the perimeter configuration. API requests to restricted services do not cross the perimeter boundary unless the conditions of the necessary ingress and egress rules of the perimeter are satisfied. An enforced perimeter protects against data exfiltration risks, such as stolen credentials, misconfigured permissions, or malicious insiders that have access to the projects.

Dry run mode

In dry run mode, requests that violate the perimeter policy are not denied but only logged. Dry run service perimeters are used to test perimeter configuration and to monitor usage of services without preventing access to resources. The following are some of the common use cases:

  • Determining the impact when you change existing service perimeters.

  • Previewing the impact when you add new service perimeters.

  • Monitoring requests to restricted services that originate from outside a service perimeter. For example, to identify from where requests to a given service are coming from or to identify unexpected service usage in your organization.

  • Creating a perimeter architecture in your development environment that is analogous to your production environment. You can identify and mitigate any issues caused by your service perimeters before submitting changes to your production environment.

For more information, see Dry run mode.

Service perimeter configuration stages

VPC Service Controls can be configured using the Google Cloud Console, the gcloud command-line tool, and the Access Context Manager APIs.

You can configure VPC Service Controls as described in the following high-level steps:

  1. If you want to use the gcloud command-line tool or the Access Context Manager APIs to create your service perimeters, create an access policy.

  2. Secure the gcloud command-line tool resources with service perimeters.

  3. Set up VPC accessible services to add additional restrictions to how services can be used inside your perimeters (optional).

  4. Set up private connectivity from a VPC network (optional).

  5. Allow context-aware access from outside a service perimeter using ingress rules (optional).

  6. Configure secure data exchange using ingress and egress rules (optional).

Create an access policy

An access policy collects the service perimeters and access levels you create for your Organization. An Organization can only have one access policy.

When service perimeters are created and managed using the VPC Service Controls page of the Cloud Console, you do not need to create an access policy.

However, when using the gcloud command-line tool or the Access Context Manager APIs to create and configure your service perimeters, you must first create an access policy.

To learn more about Access Context Manager and access policies, read the overview of Access Context Manager.

Secure Google Cloud resources with service perimeters

Service perimeters are used to protect services used by projects in your Organization. After identifying the projects and services you want to protect, create one or more service perimeters.

To learn more about how service perimeters work and what services VPC Service Controls can be used to secure, read the Overview of VPC Service Controls.

Some services have limitations with how they can be used with VPC Service Controls. If you encounter issues with your projects after setting up your service perimeters, read Troubleshooting.

Set up VPC accessible services

When you enable VPC accessible services for a perimeter, access from network endpoints inside your perimeter is limited to a set of services that you specify.

To learn more about how to limit access inside your perimeter to only a specific set of services, read about VPC accessible services.

Set up private connectivity from a VPC network

To provide additional security for VPC networks and on-premises hosts that are protected by a service perimeter, we recommend using Private Google Access. For more information, see private connectivity from on-premises networks.

To learn about configuring private connectivity, read Setting up private connectivity to Google APIs and services.

Restricting access to Google Cloud resources to only private access from VPC networks means that access using interfaces such as the Cloud Console and the Cloud Monitoring console are denied. You can continue to use the gcloud command-line tool or API clients from VPC networks that share a service perimeter or perimeter bridge with the restricted resources.

Allow context-aware access from outside a service perimeter using ingress rules

You can allow context-aware access to resources restricted by a perimeter based on client attributes, such as identity type (service account or user), identity, device data, and network origin (IP address or VPC network).

For example, you can set up ingress rules to allow internet access to resources within a perimeter based on the range of IPv4 and IPv6 addresses. For more information about using ingress rules to set up context-aware access, see Context-aware access.

Configure secure data exchange using ingress and egress rules

You can include your project only in one service perimeter. If you want to allow communication across the perimeter boundary, set up ingress and egress rules. For example, you can specify ingress and egress rules to let projects from multiple perimeters to share logs in a separate perimeter. To learn more about secure data exchange use cases, read secure data exchange.