VPC Service Controls

Isolate resources of multi-tenant Google Cloud services to mitigate data exfiltration risks.

Try it free
  • action/check_circle_24px Created with Sketch.

    Mitigate exfiltration risks by isolating multi-tenant services

  • action/check_circle_24px Created with Sketch.

    Ensure sensitive data can only be accessed from authorized networks

  • action/check_circle_24px Created with Sketch.

    Restrict resource access to allowed IP addresses, identities, and trusted client devices

  • action/check_circle_24px Created with Sketch.

    Control which Google Cloud services are accessible from a VPC network

Benefits

Mitigate data exfiltration risks

Enforce a security perimeter with VPC Service Controls to isolate resources of multi-tenant Google Cloud services—reducing the risk of data exfiltration or data breach.

Keep data private inside the VPC

Configure private communication between cloud resources from VPC networks spanning cloud and on-premises hybrid deployments. Take advantage of fully managed tools like Cloud Storage, Bigtable, and BigQuery.

Deliver independent data access controls

VPC Service Controls delivers an extra layer of control with a defense-in-depth approach for multi-tenant services that helps protect service access from both insider and outsider threats.

Key features

Key features

Centrally manage multi-tenant service access at scale

With VPC Service Controls, enterprise security teams can define fine-grained perimeter controls and enforce that security posture across numerous Google Cloud services and projects. Users have the flexibility to create, update, and delete resources within service perimeters so they can easily scale their security controls.

Identity and context help securely access multi-tenant services

VPC Service Controls enables a context-aware access approach of control for your cloud resources. Enterprises can create granular access control policies in Google Cloud based on attributes like user identity and IP address. These policies help ensure the appropriate security controls are in place when granting access to cloud resources from the internet.

Establish virtual security perimeters for API-based services

Users can define a security perimeter around Google Cloud resources such as Cloud Storage buckets, Bigtable instances, and BigQuery datasets to constrain data within a VPC and control the flow of data. With VPC Service Controls, enterprises can keep their sensitive data private as they take advantage of the fully managed storage and data processing capabilities of Google Cloud.

View all features

Documentation

Documentation

Best Practice
Supported products and limitations

Explore a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.

Best Practice
Service perimeter details and configuration

Learn all about service perimeters, including how they function, how to configure them, and the difference between enforced and dry run perimeters.

Best Practice
Creating a service perimeter

Find out how to create a service perimeter, including how to include projects and protect services.

Best Practice
Setting up private connectivity to Google APIs and services

See how to use VPC Service Controls to control access to Google APIs and services from hosts that use private IP addresses.

Best Practice
Setting up Container Registry for GKE private clusters

Walk through the process of configuring DNS entries for using Container Registry with a Google Kubernetes Engine private cluster and VPC Service Controls.

Best Practice
Cloud IAM Roles for administering VPC Service Controls

Uncover the Cloud Identity and Access Management (Cloud IAM) roles required to configure VPC Service Controls.

Google Cloud Basics
Concepts

Find an overview of VPC Service Controls along with a detailed walkthrough covering everything from service perimeter configuration to audit logging.

Architecture
Transferring data from Amazon S3 to Cloud Storage

Learn how to harden data transfers from Amazon Simple Storage Service to Cloud Storage using Storage Transfer Service with a VPC Service Controls perimeter.

Architecture
Threat and data-theft prevention policies with VM-Series

Use a virtual machine to instill app-based policies that reduce your threat footprint by applying threat and data-theft prevention policies to your allowed traffic.

Use cases

Use cases

Use case
Mitigate threats such as data exfiltration

VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.

Use case
Isolate parts of the environment by trust level

VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.

Use case
Secure access to multi-tenant services

VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE, BigQuery, etc. It enables clients to keep their entire data processing pipeline private.

All features

All features

Coverage of services VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.
Rich security logging Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.
Support for hybrid environments Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.
Secure communication Securely share data across service perimeters with full control over what resource can connect to others or to the outside.
Context-aware access Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.
Perimeter security for managed Google Cloud services Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.

Pricing

Pricing

There is no separate charge for using VPC Service Controls.