VPC accessible services

To define the services that can be accessed from a network inside your service perimeter, use the VPC accessible services feature. The VPC accessible services feature limits the set of services that are accessible from network endpoints inside your service perimeter.

The VPC accessible services feature applies only to traffic from your VPC network endpoints to Google APIs. Unlike service perimeters, the VPC accessible services feature does not apply to the communication from one Google API to another, or the networks of tenancy units, which are used to implement certain Google Cloud services.

When configuring VPC accessible services for a perimeter, you can specify a list of individual services, as well as include the RESTRICTED-SERVICES value, which automatically includes all of the services protected by the perimeter.

To ensure access to the expected services is fully limited, you must:

  • Configure the perimeter to protect the same set of services that you want to make accessible.

  • Configure VPCs in the perimeter to use the restricted VIP.

  • Use layer 3 firewalls.

Example: VPC network with Cloud Storage access only

Assume you have a service perimeter, my-authorized-perimeter, that includes two projects: my-authorized-compute-project and my-authorized-gcs-project. The perimeter protects the Cloud Storage service.

my-authorized-gcs-project uses a number of services, including Cloud Storage, Bigtable, and others. my-authorized-compute-project hosts a VPC network.

Because the two projects share a perimeter, the VPC network in my-authorized-compute-project has access to the resources of services in my-authorized-gcs-project, regardless of whether the perimeter protects those services. However, you want your VPC network to only have access to Cloud Storage resources in my-authorized-gcs-project.

You are concerned that if the credentials for a VM in your VPC network are stolen, an adversary could leverage that VM to exfiltrate data from any available service in my-authorized-gcs-project.

You have already configured your VPC network to use the restricted VIP, which limits access from your VPC network only to APIs that are supported by VPC Service Controls. Unfortunately, that doesn't prevent your VPC network from accessing supported services, such as the Bigtable resources in my-authorized-gcs-project.

To limit the VPC network's access to only the storage service, you enable VPC accessible services and set storage.googleapis.com as an allowed service:

gcloud access-context-manager perimeters update my-authorized-perimeter \
  --enable-vpc-accessible-services \
  --add-vpc-allowed-services=storage.googleapis.com

Success! The VPC network in my-authorized-compute-project is now limited to accessing only resources for the Cloud Storage service. This restriction also applies to any projects and VPC networks you later add to the perimeter.

What's next?