Allow access to protected resources from outside a perimeter

To grant controlled access to protected Google Cloud resources in service perimeters from outside a perimeter, use access levels.

An access level defines a set of attributes that a request must meet for the request to be honored. Access levels can include various criteria, such as IP address and user identity.

For a detailed overview of access levels, read the Access Context Manager overview.

Limitations of using access levels with VPC Service Controls

When using access levels with VPC Service Controls, certain limitations apply:

  • Access levels only allow requests from outside a perimeter for the resources of a protected service inside a perimeter.

    You cannot use access levels to allow requests from a protected resource inside a perimeter to resources outside the perimeter. For example, a Compute Engine client within a service perimeter calling a Compute Engine create operation where the image resource is outside the perimeter. To allow access from a protected resource inside a perimeter to resources outside the perimeter, use an egress policy.

  • Even though access levels are used to allow requests from outside a service perimeter, you cannot use access levels to allow requests from another perimeter to a protected resource in your perimeter. To allow requests from another perimeter to protected resources in your perimeter, the other perimeter must use an egress policy. For more information, read about requests between perimeters.

  • You can only use public IP address ranges in the access levels for IP-based allowlists. You cannot include an internal IP address in these allowlists. Internal IP addresses are associated with a VPC network, and VPC networks must be referenced by their containing project using an ingress or egress rule, or a service perimeter.

Create and manage access levels

Access levels are created and managed using Access Context Manager.

Create an access level

To create an access level, read about creating an access level in the Access Context Manager documentation.

The following examples explain how to create an access level using different conditions:

Add access levels to service perimeters

You can add access levels to a service perimeter when creating the perimeter, or to an existing perimeter:

Manage access levels

For information about listing, modifying, and deleting existing access levels, read Managing access levels.

What's next