Simplifying VPC Service Control

Introduction

If we are migrating on-premises infrastructure to the cloud, one of the goals will be to replicate on-premises network based security architecture as we move our data to Google Cloud. To protect our highly sensitive data, we might want to ensure that your resources can only be accessed from trusted networks. Some organizations might allow public access to resources as long as the request originates from a trusted network, which can be identified based on the IP address of the request whereas some organizations will not allow access from the Internet.

VPC service control (VPC-SC) helps mitigate data exfiltration risks in the cloud. It provides organizations flexibility and mechanisms to ensure secure data exchange across organizational boundaries with fine-grained controls.

VPC Service Controls provides an extra layer of security defense for Google Cloud services that is independent of Identity and Access Management (IAM). While IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress or ingress across the perimeter. We recommend using both VPC Service Controls and IAM for defense in depth. IMA and VPC-SC compliments each other and provides an extra layer of defense.

How VPC-SC helps mitigate data exfiltration

Think of VPC-SC as a service level perimeter firewall protecting your services. VPC Service Controls create perimeters across VPC & Projects that protect the resources and data of services that we explicitly specify. It helps to control access between one project to another, between different VPCs. For example, a cloud storage bucket by default can access another cloud storage bucket in another project, and can copy or transfer data. VPC-SC perimeter stops this default access , and only permits if explicitly specified using ingress or egress rules which we will see in detail later .

VPC-SC secures Google Cloud services by defining the following controls:

1. Users within a VPC-SC perimeter that have private access to resources within a project do not have access to unauthorized public or private resources outside the perimeter.
2. Data cannot be copied to unauthorized resources outside the perimeter using service operations such as gsutil cp command.
3. Data exchange between clients and resources separated by perimeters is secured by using ingress and egress rules. It means, users can communicate to resources if they are part of the same project, but if users and resources are part of different projects then explicit ingress and egress rules are to be defined to make communication possible.
4. Internet access to resources within a perimeter is restricted to a range of IPv4 and IPv6 addresses.
5. Context-aware access to resources is based on client attributes, such as identity type (service account or user), identity, device data, and network origin (IP address or VPC network).

Benefits of VPC Service Controls -

1. By allowing private access only from authorized VPC networks, VPC Service Controls helps protect against the risk of data exfiltration presented by clients using stolen service account credentials.
2. VPC Service Controls also prevents copying data to a resource outside the perimeter. VPC Service Controls prevents service operations such as a gsutil cp command copying to a public Cloud Storage bucket or a bq mk command copying to a permanent external BigQuery table.
3. VPC Service Controls provides an extra layer of security by denying access from unauthorized networks, In situations where the data is exposed by misconfigured IAM policies.
4. By Default VPC-SC configuration is managed at the organization level, you can configure access policy and configure VPC Service Controls for the entire Google Cloud organization, or use scoped policies and configure VPC Service Controls for a folder or project in the organization. This provides a greater flexibility in defining perimeter boundaries.

Sample use cases of VPC-SC

1. Diagram shows a service perimeter that allows communication between a VPC project and Cloud Storage bucket inside the perimeter but blocks all communication across the perimeter: means , services within the perimeter can communicate with each other, but can not communicate across the perimeter.

2. Diagram shows a service perimeter that allows access from the internet to protected resources based on the configured access levels, such as IP address . Rest of the access from the Internet is denied.

3. The following diagram shows multiple partner VPC networks outside the perimeter that need to read from a BigQuery resource inside a perimeter.

4. In the below diagram, User is accessing BQ datasets through Looker Dashboard . Default access will be denied . Solution is to create an ingress rule in Project, with source project as project B so that Looker can access BQ dataset.

Deployment example scenario

We will follow below diagram for three test scenarios,

Test scenario -1

As you can see there are two projects, one is dinesh-environment and other is Looker. First, we will see that any file can be copied from cloud storage in dinesh-environment to cloud storage bucket in Project Loker, because there is no restriction yet configured or in other words VPC-SC is not configured yet. This should allow copying files from one bucket to another across projects.

As you can see, copying files from one bucket to another is happening without any restriction. File name is token.txt, you can see file in bucket in project Looker below,

Now, I will configure VPC service control and try to copy the file again, below is the screenshot of VPC-SC configuration.

Step-1 Click create perimeter , name the perimeter you like .

Step-2 Resources to protect, add projects to be protected in the scope.

Step-3 Configure restricted services, in this case I have included Cloud storage, compute and Bigquery APIs.

Step-4 Click on create perimeter. With this step, we have created a perimeter around the project dinesh-environment. Now, we will again try to copy the file from bucket in dinesh-environment to bucket in project Looker and see,

This time, the file will not be copied and gives you an error message “Request is prohibited by policy” as you can see above in the screenshot as well.

Now, that you have created the perimeter to secure access to the project but want this bucket to bucket communication should be allowed. For that, we need to create a egress rule in the perimeter configuration as seen below,

Click perimeter title, then click edit aside to egress rule and then click add rule button.

Click the save button at the end. Now, we have created an egress rule which should allow the bucket in the dinesh-environment project to communicate with the bucket in the Looker project. Try the same copy command and see the result.

As you can see that file is copied and communication is happening after creating the egress rule.

Test scenario -2:

With Perimeter created in the dinesh-environment project, no one should be able to access Bigquery and create a dataset/table.

Now, try creating a dataset in the bigquery and see the result?

As you can see, you get an error message “VPC service control is prohibited by policy” , and this is what we expected . This is happening because we have not given permission or not configured the access level where you can permit IP addresses for example to access services in the perimeter. Now, let’s do that. I am going to permit my laptop IP address in the access level and see if I can create Bigquery dataset/table.

To check the ip address of the laptop, there are many ways you can do that.

One way is, go to whatismyipaddress.com and note down your laptop IP address.

How to create access level,

Step-1 Go to Access context manager , click create access level, give it any name,and add your Laptop IP address. See below the screenshot,

Now, click save .

Step-2 Now, again go to VPC service control, click on the perimeter you created earlier. Click the edit button besides Access level.

Select the access level you create in step -1.

Step-3 Now, create Dataset or table in bigquery, it will allow from your laptop as access level is configured for trusted IP .

Test scenario — 3

Step-1 Now, go to compute and try to create a VM instance and see. you should be able to create new instances. It is happening because my laptop IP address is added as trusted IP in the test scenario -2 so due to the allowed access level we are able to create an instance.

Step-2 Now, go ahead and un-check the box of the access level.

Step-3 Create a new instance and see the result. You will get an error message and would not be able to create instance because of Perimeter security.

I hope you find this blog useful, you can follow step by step to create scenarios given here. In summary, VPC-SC is a very robust security mechanism to secure VPC , prevent data exfiltration threats and allow only trusted IPs or networks or projects.

Disclaimer: This is to inform readers that the views, thoughts, and opinions expressed in the text belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.