Prevent data exfiltration by creating isolation perimeters around your cloud resources, sensitive data, and networks.
Mitigate exfiltration risks by isolating multi-tenant services
Ensure sensitive data can only be accessed from authorized networks
Restrict resource access to allowed IP addresses, identities, and trusted client devices
Control which Google Cloud services are accessible from a VPC network
Benefits
Mitigate data exfiltration risks
Enforce a security perimeter with VPC Service Controls to isolate resources of multi-tenant Google Cloud services—reducing the risk of data exfiltration or data breach.
Keep data private inside the VPC
Configure private communication between cloud resources from VPC networks spanning cloud and on-premises hybrid deployments. Take advantage of fully managed tools like Cloud Storage, Bigtable, and BigQuery.
Deliver independent data access controls
VPC Service Controls delivers an extra layer of control with a defense-in-depth approach for multi-tenant services that helps protect service access from both insider and outsider threats.
Key features
With VPC Service Controls, enterprise security teams can define fine-grained perimeter controls and enforce that security posture across numerous Google Cloud services and projects. Users have the flexibility to create, update, and delete resources within service perimeters so they can easily scale their security controls.
VPC Service Controls enables a context-aware access approach of control for your cloud resources. Enterprises can create granular access control policies in Google Cloud based on attributes like user identity and IP address. These policies help ensure the appropriate security controls are in place when granting access to cloud resources from the internet.
Users can define a security perimeter around Google Cloud resources, such as Cloud Storage buckets, Bigtable instances, and BigQuery datasets to constrain data within a VPC and control the flow of data. With VPC Service Controls, enterprises can keep their sensitive data private as they take advantage of the fully managed storage and data processing capabilities of Google Cloud.
What's new
Sign up for Google Cloud newsletters to receive product updates, event information, special offers, and more.
Documentation
Explore a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.
Learn all about service perimeters, including how they function, how to configure them, and the difference between enforced and dry run perimeters.
Find out how to create a service perimeter, including how to include projects and protect services.
See how to use VPC Service Controls to control access to Google APIs and services from hosts that use private IP addresses.
Learn how to configure DNS entries for using Container Registry with a Google Kubernetes Engine private cluster and VPC Service Controls.
Uncover the Cloud Identity and Access Management (Cloud IAM) roles required to configure VPC Service Controls.
Find an overview of VPC Service Controls along with a detailed guide covering everything from service perimeter configuration to audit logging.
Learn how to harden data transfers from Amazon Simple Storage Service to Cloud Storage using Storage Transfer Service with a VPC Service Controls perimeter.
Use a next generation firewall to reduce your threat footprint by centralizing management and extending security policies and controls to users, apps, and devices.
Use cases
VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.
VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE and BigQuery. It enables clients to keep their entire data processing pipeline private.
All features
Coverage of services | VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls. |
Rich security logging | Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility. |
Support for hybrid environments | Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access. |
Secure communication | Securely share data across service perimeters with full control over what resource can connect to others or to the outside. |
Context-aware access | Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity. |
Perimeter security for managed Google Cloud services | Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter. |
Pricing
There is no separate charge for using VPC Service Controls.
Start building on Google Cloud with $300 in free credits and 20+ always free products.