VPC Service Controls
Isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks.Try it free
Mitigate exfiltration risks by isolating multi-tenant services
Ensure sensitive data can only be accessed from authorized networks
Restrict resource access to allowed IP addresses, identities, and trusted client devices
Control which Google Cloud services are accessible from a VPC network
Mitigate data exfiltration risks
Enforce a security perimeter with VPC Service Controls to isolate resources of multi-tenant Google Cloud services—reducing the risk of data exfiltration or data breach.
Keep data private inside the VPC
Configure private communication between cloud resources from VPC networks spanning cloud and on-premises hybrid deployments. Take advantage of fully managed tools like Cloud Storage, Bigtable, and BigQuery.
Deliver independent data access controls
VPC Service Controls delivers an extra layer of control with a defense-in-depth approach for multi-tenant services that helps protect service access from both insider and outsider threats.
Centrally manage multi-tenant service access at scale
With VPC Service Controls, enterprise security teams can define fine-grained perimeter controls and enforce that security posture across numerous Google Cloud services and projects. Users have the flexibility to create, update, and delete resources within service perimeters so they can easily scale their security controls.
Identity and context help securely access multi-tenant services
VPC Service Controls enables a context-aware access approach of control for your cloud resources. Enterprises can create granular access control policies in Google Cloud based on attributes like user identity and IP address. These policies help ensure the appropriate security controls are in place when granting access to cloud resources from the internet.
Establish virtual security perimeters for API-based services
Users can define a security perimeter around Google Cloud resources such as Cloud Storage buckets, Bigtable instances, and BigQuery datasets to constrain data within a VPC and control the flow of data. With VPC Service Controls, enterprises can keep their sensitive data private as they take advantage of the fully managed storage and data processing capabilities of Google Cloud.
Supported products and limitations
Explore a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.
Service perimeter details and configuration
Learn all about service perimeters, including how they function, how to configure them, and the difference between enforced and dry run perimeters.
Creating a service perimeter
Find out how to create a service perimeter, including how to include projects and protect services.
Setting up private connectivity to Google APIs and services
See how to use VPC Service Controls to control access to Google APIs and services from hosts that use private IP addresses.
Setting up Container Registry for GKE private clusters
Walk through the process of configuring DNS entries for using Container Registry with a Google Kubernetes Engine private cluster and VPC Service Controls.
Cloud IAM Roles for administering VPC Service Controls
Uncover the Cloud Identity and Access Management (Cloud IAM) roles required to configure VPC Service Controls.
Find an overview of VPC Service Controls along with a detailed walkthrough covering everything from service perimeter configuration to audit logging.
Transferring data from Amazon S3 to Cloud Storage
Learn how to harden data transfers from Amazon Simple Storage Service to Cloud Storage using Storage Transfer Service with a VPC Service Controls perimeter.
Threat and data-theft prevention policies with VM-Series
Use a virtual machine to instill app-based policies that reduce your threat footprint by applying threat and data-theft prevention policies to your allowed traffic.
VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.
VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE, BigQuery, etc. It enables clients to keep their entire data processing pipeline private.
|Coverage of services||VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.|
|Rich security logging||Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.|
|Support for hybrid environments||Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.|
|Secure communication||Securely share data across service perimeters with full control over what resource can connect to others or to the outside.|
|Context-aware access||Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.|
|Perimeter security for managed Google Cloud services||Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.|