Secure And Audit The Google Cloud Platform Perimeter

Restricted IP range

This article describes how Google Cloud Platform addresses the following traditional perimeter security question described in the concepts article: how do you ensure your users are only communicating with your, or your SaaS provider’s, applications?

Enterprises often secure their own perimeter by only supporting communication with whitelisted IPs; this requires that the IPs are known, and limited. Google Cloud Platform provides a number of services which support this…

Published IP ranges

Google Cloud publishes its IP ranges.

Limitations

• This includes all Google Cloud services, so you can’t differentiate between G Suite and App Engine, for instance.
• You must dynamically update the restricted IP ranges since they change over time.

Single global or regional IP via Google Cloud Load Balancing

Google Cloud Load Balancing supports a single global or regional IP.

Limitations:

• Google Cloud Storage supported for XML API only.
• Non-private-access reverse proxy routes over public IP to App Engine, though not over public internet.

Single IP via reverse proxy such as NGINX

This is similar to Google Cloud Load Balancing in capabilities and limitations.

• * Private K8S worker nodes: setting up a private cluster
• ** IP whitelisting: configuring authorized networks for master access
• *** VPC Private Access

The following table describes how each of these solution components supports restricted IPs across the representative Google Cloud Platform services described in the concepts article.

• * Compute Engine IP ranges
• ** App Engine IP ranges
• *** Ingress with NGINX controller tutorial

B2B SaaS wrinkles

As a SaaS provider, you may be fully bought into and have taken advantage of Google Cloud Platform’s defense in depth capabilities, and be reluctant to incur the management burden of adding layers of perimeter defense with limited utility, particularly when the primary goal, as in the case of restricted IPs, is to protect your customer’s network from the internet, rather than to protect your SaaS applications.

One option in this case is for those customers who require this capability to implement Google Cloud Load Balancing or a reverse proxy in their own Google Cloud Platform project, and route to your SaaS application within the Cloud.

What’s next

Read the following to learn more about the solution components described in this article:

• Google Cloud Load Balancing.
• VPC Private Access.

Read the following guides to learn about Google Cloud Platform’s capabilities in the following perimeter security areas.

• Audit.