VPC Service Controls — Secured Data Sharing
There are two aspects of securing the resources and data in Google Cloud Platform, first using the role based security controls using Cloud IAM and second is context based security controls using VPC Service Controls.
While the first (IAM) secures the information by restricting the unauthorised users from accessing the resources, the second (VPC Service Control) creates a perimeter around the projects and resources to restrict any API based (i.e. — storage.googleapis.com) request to outside of this perimeter. Although the services within the perimeter can communicate with each other in service-to-service manner.
Supported GCP Products
Most of the Data related GCP Services can be secured by VPC Service Perimeter.
Some of them are — Storage Buckets, Cloud SQL, BigQuery, Bigdata, Apigee, Anthos, Cloud Run and many more.
You can find the whole list of supported products below-
Pre-requisite — Roles Required
VPC Service Controls Perimeter works at organisation level.
The following predefined IAM roles can be given as per the job role of the user -
Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
Access Context Manager Reader (roles/accesscontextmanager.policyReader)
Use Cases —
There are many use cases where VPC Service Controls can be utilised and the comprehensive list can be found below -
Demo —
Scope for this demo is defined below and the Terraform code files to run the demo are also attached.
Resources under Project A, Project B and Project X are inside the same VPC network.
There are some secret files exist in cloud storage bucket of Project A and by default they can be accessed across all three projects.
Putting a service perimeter around Project A and Project B will make the storage bucket with secret files unavailable for Project X. However the compute engine in Project A can still share the secret file with Project B.
For this demo we’ll use Terraform to provision the required resources -
GCP Projects —
GCP VPC —
The allowed ranges used are unspecified address (0.0.0.0/0) for demo purpose, which should not be a case with actual implementations.
GCP Compute Instance —
GCP Storage Bucket —
GCP Cloud IAM —
First execute the code before the GCP VPC Service Perimeter section below, ssh to the Compute Instance created above try copying the file(s) from Project A to Project B and Project X and it should be allowed.
GCP VPC Service Perimeter —
Once the VPC Service Perimeter terraform is provisioned, again ssh to the Compute Instance created above try copying the file(s) from Project A to Project B and Project X and you’ll see that the files can be transferred to Project B (shares the perimeter with Project A) but cannot be transferred to ProjectX.
By following along the steps above you are now able to setup the working demo for #VPCServiceControls using #gcp services and #terraform.
Please follow the article below to learn more about this topic-
