To define the services that can be accessed from a network inside your service perimeter, use the VPC accessible services feature. The VPC accessible services feature limits the set of services that are accessible from network endpoints inside your service perimeter.
The VPC accessible services feature applies only to traffic from your VPC network endpoints to Google APIs. Unlike service perimeters, the VPC accessible services feature does not apply to the communication from one Google API to another, or the networks of tenancy units, which are used to implement certain Google Cloud services.
When configuring VPC accessible services for a perimeter, you can specify a
list of individual services, as well as include the RESTRICTED-SERVICES
value, which automatically includes all of the services protected by the
perimeter.
To ensure access to the expected services is fully limited, you must:
Configure the perimeter to protect the same set of services that you want to make accessible.
Configure VPCs in the perimeter to use the restricted VIP.
Use layer 3 firewalls.
Example: VPC network with Cloud Storage access only
Assume you have a service perimeter, my-authorized-perimeter
, that includes
two projects: my-authorized-compute-project
and my-authorized-gcs-project
.
The perimeter protects the Cloud Storage service.
my-authorized-gcs-project
uses a number of services, including
Cloud Storage, Bigtable, and others.
my-authorized-compute-project
hosts a VPC network.
Because the two projects share a perimeter, the VPC network in
my-authorized-compute-project
has access to the resources of services in
my-authorized-gcs-project
, regardless of whether the perimeter protects those
services. However, you want your VPC network to only have
access to Cloud Storage resources in my-authorized-gcs-project
.
You are concerned that if the credentials for a VM in your VPC network are
stolen, an adversary could leverage that VM to exfiltrate data from any
available service in my-authorized-gcs-project
.
You have already configured your VPC network to use the restricted VIP, which
limits access from your VPC network only to APIs that are supported by
VPC Service Controls. Unfortunately, that doesn't prevent your VPC network
from accessing supported services, such as the Bigtable resources
in my-authorized-gcs-project
.
To limit the VPC network's access to only the storage service, you enable
VPC accessible services and set storage.googleapis.com
as an allowed service:
gcloud access-context-manager perimeters update my-authorized-perimeter \
--enable-vpc-accessible-services \
--add-vpc-allowed-services=storage.googleapis.com
Success! The VPC network in my-authorized-compute-project
is now limited to
accessing only resources for the Cloud Storage service. This
restriction also applies to any projects and VPC networks you later add to the
perimeter.