Configure VPC Service Controls and private clusters

This page describes how VPC Service Controls and private clusters work and how to set them up in Cloud Workstations.

VPC Service Controls

VPC Service Controls provides additional security for your workstations to help mitigate the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that can help protect resources and services from requests that originate outside the perimeter.

These are the requirements for using Cloud Workstations in a VPC service perimeter:

• To help protect Cloud Workstations, you must restrict the Compute Engine API in your service perimeter whenever you restrict the Cloud Workstations API.

• Make sure that Google Cloud Storage API, Google Container Registry API, and Artifact Registry API are VPC accessible in your service perimeter. This is needed to pull images onto your workstation. We also recommend that you allow Cloud Logging API and Cloud Error Reporting API to be VPC accessible in your service perimeter, although this is not required to use Cloud Workstations.

• Make sure that your workstation cluster is private. Configuring a private cluster prevents connections to your workstations from outside your VPC service perimeter. The Cloud Workstations service prevents the creation of public clusters in a VPC service perimeter.
• Make sure that you turn off public IP addresses in your workstation configuration. Failing to do so results in VMs with public IP addresses in your project. We strongly recommend that you use the constraints/compute.vmExternalIpAccess organization policy constraint to turn off public IP addresses for all VMs in your VPC service perimeter. For details, see Restricting external IP addresses to specific VMs.

To learn more about service perimeters, see Service perimeter details and configuration.

Architecture

When you configure a workstation cluster as private, the control plane of the workstation cluster only has an internal IP address. This means that clients from the public internet cannot connect to the workstations belonging to the workstation cluster. To use a private cluster, you must manually connect the private cluster to your Virtual Private Cloud (VPC) network through a Private Service Connect endpoint.

Configurations with private clusters require two PSC endpoints:

• By default, Cloud Workstations creates a separate PSC endpoint to connect the control plane to the workstation VMs.

• You must create an additional PSC endpoint for private clusters. To connect from your local machine to a workstation in a private cluster, your local machine must be connected to your VPC network. Use Cloud VPN or Cloud Interconnect to connect the external network in which you run your machine to the VPC network.

The following diagram illustrates an example architecture of a private cluster:

Before you begin

Before you begin, make sure that you complete these required setup steps:

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

3. Make sure that billing is enabled for your Google Cloud project.

4. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

   Go to project selector

5. Make sure that billing is enabled for your Google Cloud project.

6. Enable the Cloud Workstations API.

   Enable the API

7. Make sure that you have a Cloud Workstations Admin IAM role on the project so that you can create workstation configurations. To check your IAM roles in the Google Cloud console, go to the IAM page:

   Go to IAM

8. If the constraints/compute.trustedimageProjects organization policy constraint is enforced, you must add the project that the image comes from to the allowlist.
   • Without nested virtualization, you must grant your project permission to use Compute Engine VM images from the cos-cloud project.
   • With nested virtualization, you must grant your project permission to use Compute Engine VM images from the ubuntu-os-gke-cloud project.

   For more information, see Set image access constraints.

9. Optional: Enable the Container File System API to allow faster workstation startup.

   Enable the Container File System API

   For more information, see Reduce workstation startup time with Image streaming.

Create a private cluster

Follow these steps to create a private cluster:

1. In the Google Cloud console, go to the Cloud Workstations page.

   Go to Cloud Workstations

2. Navigate to the workstation Cluster management page.

3. Click Create.

4. Enter the Name and select a Region for your workstation cluster.

5. In the Networking section, select Networks in this project.

6. Select a Network and a Subnetwork.

7. For Gateway type, select Private gateway.

8. Optional: Specify one or more additional projects that host the Private Service Connect endpoint that enables HTTP access to your private cluster. By default, this endpoint can only be created in the workstation cluster project and VPC network host project (if different). If needed, these projects can also be specified after cluster creation.

9. Click Create.

Enable private cluster connectivity

Clients cannot connect to workstations in private workstation clusters from the public internet. Clients must be on a network that connects to the workstation cluster using Private Service Connect (PSC). Follow the steps in this section to connect to a workstation:

1. Create a PSC endpoint that targets your workstation service attachment.

2. Create a private DNS zone.

3. Use Cloud DNS to create a DNS record that maps your cluster's hostname to the PSC endpoint.

Create a Private Service Connect endpoint

Follow these steps to create a PSC endpoint:

1. In the Google Cloud console, go to Private Service Connect.

   Go to Private Service Connect

2. Click the Connected endpoints tab and then click addConnect endpoint.

3. For Target, select Published service.

4. In the Target service field, enter the service attachment URI created for the workstation cluster. Find this by navigating to your workstation cluster on the console and looking for the Service attachment URI field under Network settings.

5. In the Endpoint field, enter an endpoint name.

6. Select a Network for the endpoint and then select a Subnetwork. This network should be the network that you want to use to connect to your workstations.

7. Select an IP address for the endpoint.

   If you need a new IP address, select Create IP address:

   1. Enter a Name and optional Description for the IP address.
   2. For a Static IP address, select Assign automatically. For a Custom IP address, select Let me choose and enter the IP address that you want to use.
   3. For Purpose, select Non-shared.
   4. Click Reserve.

8. Select a Namespace from the drop-down list or create a new namespace. The Region populates based on the selected subnetwork.

9. Click Add endpoint.

10. Copy the IP address of the endpoint so that you can use it in the next section to Create a private DNS zone and DNS record.

Create a private DNS zone

Follow these steps to create a private DNS zone for this workstation cluster with the DNS Name set to your clusterHostname, which you can find by navigating to your workstation cluster on the console.

1. In the Google Cloud console, go to the Create a DNS zone page.

   Go to Create a DNS zone

2. For the Zone type, select Private.

3. Enter a Zone name such as private-workstations-cluster-zone.

4. Enter a DNS name suffix for the private zone. All records in the zone share this suffix. Set this name to your clusterHostname.

   To find your clusterHostname, navigate to the Cloud Workstations  > Cluster management page in the Google Cloud console, and then click your workstation cluster to view the hostname.

5. Optional: Add a description.

6. Under Options, select Default (private).

7. Select the network that you created the PSC endpoint on in the previous section because the IP address is only valid on that network.

8. Click Create.

For more information about private DNS zones, see the Cloud DNS documentation on how to Create a private zone and Best practices for Cloud DNS private zones.

Create a DNS record

To add a record that maps *.<clusterHostname> to the IP address reserved when you created the Private Service Connect endpoint, follow these steps:

1. In the Google Cloud console, go to the Cloud DNS zones page.

   Go to Cloud DNS zones

2. Click the name of the managed zone that you want to add the record to.

3. On the Zone details page, click Add Standard.

4. On the Create record set page, in the DNS name field, enter *.<clusterHostname>.

5. In the IP Address field, enter the IP address you reserved for your Private Service Connect endpoint in the previous section.

6. Click Create.

7. Your VPC network should now be connected to the workstation cluster and you can connect to workstations using this network.

Enable DNS resolution on-premises

To use the default browser based editor on your workstation, use a browser from a machine connected to the VPC network. You can use Cloud VPN or Cloud Interconnect to connect from the external network in which you run your browser to the VPC network.

To connect from an external network, you need to configure DNS in the external network. Similar to the preceding steps, you can create a DNS zone for clusterHostname and add a record that maps *.<clusterHostname> to the IP address reserved when you created the Private Service Connect endpoint. Alternatively, you can set up DNS forwarding zones or DNS server policies to allow lookups of DNS names between your on-premises and Google Cloud environments.

You might also need to add *cloudworkstations.dev to your on-premises infrastructure's allowlist.

What's next

• Set up Shared VPC access
• Troubleshoot common VPC issues