Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Supported products and limitations
3.
Access control with IAM
4.
Configuring ingress and egress policies
5.
Creation of service perimeter and perimeter bridge
5.1.
Creation of perimeter bridge 
6.
Setting up private connectivity to Google APIs and services
6.1.
Configure routes to restricted.googleapis.com
6.2.
Configure firewall rules
6.3.
Configuring DNS
7.
Setting up Container Registry or Artifact Registry for GKE private clusters
7.1.
Configuring DNS
7.2.
Configuring the service perimeter
8.
Making bulk changes to service perimeters
9.
Diagnosing issues by using the VPC Service Controls troubleshooter
9.1.
Accessing the VPC Service Controls troubleshooter
10.
Frequently Asked Questions
10.1.
What other techniques are there for logging into the Google Compute Engine API?
10.2.
Describe how elasticity and scalability differ in cloud computing.
10.3.
In the context of Google Cloud, what are projects?
11.
Conclusion
Last Updated: Mar 27, 2024

VPC Service Controls

Author Shivani Singh
0 upvote
Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

To regulate communication to and between Google-managed services, managers can build a service perimeter around their resources using VPC Service Controls. Customers may handle issues including data theft, inadvertent data loss, and unauthorized access to data housed in Google Cloud multi-tenant services by using VPC Service Controls. In order to lower both intentional and unintentional losses, it enables clients to precisely regulate which organizations can access which services. 

Cover image for VPC service control

Key capabilities of VPC Service Controls include creating virtual security perimeters for API-based services, centrally managing multi-tenant service access at scale, and securely accessing multi-tenant services.

Use cases for VPC Service Controls include preventing dangers like data espionage, isolating areas of the environment based on trustworthiness, and securing access to multi-tenant services, among others.

Supported products and limitations

This part of the blog will deal with various supported products and their limitations.

Supported products and limitations

Access Approval: VPC Service Controls offer complete support for this product integration. Your perimeters can be set up to safeguard this service. There are no known restrictions on the Access Approval interface with VPC Service Controls.

Ads Data Hub: Although this product integration is prepared for more extensive testing and use, production settings are not yet completely supported. Your perimeters can be set up to safeguard this service. Specific user data must be transferred outside of the VPC Service Controls' boundary in order to use certain Ads Data Hub features (such as custom audience activation, custom bidding, and LiveRamp match tables). The same VPC Service Controls perimeter must include all dependent services as authorized services.

AI Platform Prediction: This product integration is fully supported by VPC Service Controls, according to an AI platform prediction. Your perimeters can be set up to safeguard this service. Its restrictions include: not supporting batch prediction when using AI Platform Prediction inside a service perimeter and adding particular APIs to service parameters.

AI Platform Training: VPC Service Controls offer complete support for this product integration. Your perimeters can be set up to safeguard this service. The product can be used regularly inside service perimeters while the API for AI Platform Training is secured by VPC Service Controls. When using AI Platform Training inside a service perimeter, training with TPUs is not supported. You must set up VPC Service Controls for both AI Platform Training and AI Platform Prediction since they both use the AI Platform Training and Prediction API.

Anthos Service Mesh: VPC Service Controls provide complete support for this product integration. The product can be utilized regularly inside service perimeters and the API for Anthos Service Mesh can be secured by VPC Service Controls. Anthos Service Mesh Managed Control Plane does not presently support service perimeters.

Apigee Integration: Although this product integration is suitable for more extensive testing and use, production situations are not yet completely supported. Apigee Integration is a collaborative workflow management platform that enables you to design, enhance, troubleshoot, and comprehend workflows for fundamental business systems. Application Integration logs are protected by VPC Service Controls. If you use Apigee Integration, check with the Apigee Integration team to see if vpcsc integration is supported.

Artifact Registry: VPC Service Controls offer complete support for this product integration. In addition to safeguarding the Artifact Registry API, GKE and Compute Engine support the use of Artifact Registry inside service perimeters.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Access control with IAM

The required permissions to inspect or configure service perimeters and access levels are provided by the following preconfigured IAM roles:

  • Access Context Manager Admin (roles/accesscontextmanager.policyAdmin)
  • Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
  • Access Context Manager Reader (roles/accesscontextmanager.policyReader)

Grant Manager Admin role to allow read-write access:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyAdmin"

Grant Manager Editor role to allow read-write access:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyEditor"

Grant Manager Reader role to allow read-only access:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="user:example@customer.org" \
    --role="roles/accesscontextmanager.policyReader"

Configuring ingress and egress policies

This section will discuss How to set up entry and egress rules for your VPC Service Controls perimeter. 

  1. Select Security from the Google Cloud console navigation menu, followed by VPC Service Controls.
     
  2. Select a New boundary.
     
  3. Select Ingress policy or Egress policy from the left menu.
     
  4. Select Add rule.
     
  5. Choose the To properties of the GCP resources/services you want and the From attributes of the API client that are required.
     
  6. Press the perimeter button.

Creation of service perimeter and perimeter bridge

You can specify what services are accessible to other services and users inside the perimeter when you construct a service perimeter, and you can optionally enable access to protected services from outside the perimeter. If you'd rather, you can modify these options after setting up a perimeter. 

  1. Select Security from the Google Cloud console navigation menu, followed by VPC Service Controls.
     
  2. If prompted, choose your project, folder, or organization.
     
  3. Choose a perimeter mode on the VPC Service Controls page.
     
  4. Select New boundary.
     
  5. Type a name for the perimeter in the Perimeter Name box on the New VPC Service Perimeter page.
     
  6. To choose the projects you want to secure inside the boundary, carry out the following steps:
    • Then select Projects. Click Add projects in the Projects pane.
    • In the Add projects dialogue, check the box next to the project you want to add to the perimeter.
    • Select Projects. then press Done.
       
  7. Choose the services you wish to secure within the perimeter.
     
  8. To allow API clients from outside the perimeter access to services inside a perimeter, take the following actions:
    • Please click Ingress policy.
    • Click Add rule in the Ingress rules window.
    • Declare the necessary From attributes for the API client and the desired To attributes for GCP resources and services.
       
  9. To permit usage of an API client or resources inside the perimeter to access resources outside the border, take the following actions:
    • Press Egress policy.
    • Click Add rule in the Egress rules panel.
    • Declare the necessary From attributes for the API client and the desired To attributes for GCP resources and services.
    • Decide on creating a perimeter.

Creation of perimeter bridge 

  1. Select Security from the Google Cloud console navigation menu, followed by VPC Service Controls.
     
  2. Choose your Organization if you are prompted.
     
  3. Click New Perimeter at the top of the VPC Service Controls screen.
     
  4. Type a name for the perimeter in the Perimeter Name box on the New VPC Service Perimeter page.
     
  5. Choose Perimeter Bridge under Perimeter Type.
     
  6. Decide which projects you wish to safeguard inside the boundary:
    • Select "Add Projects" from the menu.
    • Select the checkbox in each row in the Add projects window that corresponds to a project you want to add to the perimeter.
    • Where n is the number of projects you chose in the previous step, click the Add n Projects button.
       
  7. Select the Save button.

Setting up private connectivity to Google APIs and services

In this section, we'll go over how to build up secure connections from servers in a VPC network or on-premises network to the Google APIs and services that VPC Service Controls support.

Configure routes to restricted.googleapis.com

Access Cloud and Developer APIs that enable VPC Service Controls by using restricted.googleapis.com. The VIP (virtual IP address) range 199.36.153.4/30 is where the restricted.googleapis.com domain resolves.

Regardless of the domain you pick, VPC Service Controls are applied for compatible and specified services, however, restricted.googleapis.com offers further risk reduction for data exfiltration. restricted. Access to Google APIs and services that are not supported by VPC Service Controls is denied by googleapis.com.

You can build a custom static route with the destination of 199.36.153.4/30 and the default internet gateway as its next hop if your VPC network does not already have a default route whose next hop is the default internet gateway.

For all BGP sessions on an active Cloud Router, establish the following custom route advertisement for the limited range:

  1. Navigate to the Cloud Router page in the Google Cloud console.
     
  2. Decide which Cloud Router needs updating.
     
  3. Click Edit on the Cloud Router's detail page.
     
  4. Enlarge the area titled Advertised routes.
     
  5. Choose to Create custom routes under Routes.
     
  6. Choose to Advertise all subnets visible to the Cloud Router to continue advertising the subnets that are accessible to it. By turning on this option, the Cloud Router behaves as it does by default.
     
  7. Choose to Create a custom route to add an advertising route.
     
  8. Set up the route advertisement.
    • Choose Custom IP range under Source.
    • Enter the IP address range 199.36.153.4/30.
    • Add a description to the Restricted Google APIs IPs page.
       
  9. After adding routes, choose Save.

Configure firewall rules

Instances of Virtual Machines that support Private Google Access can access protected Google API resources without the need for external IP addresses by using internal IP addresses. However, VM instances might have external IP addresses or otherwise be able to connect to the Internet. You can limit egress traffic from VM instances in your VPC network in addition to using custom routes by setting up firewall rules that forbid egress traffic.

If a suitable route is available, the inferred egress firewall rule allows VM instances to deliver traffic to any destination by default. You can first build an egress deny rule to stop all outgoing traffic. Once that is done, you may set higher priority egress rules that allow traffic to specific locations within your VPC network and to the IP address 199.36.153.4/30 (restricted.googleapis.com).

Configuring DNS

We advise you to configure DNS for your VPC networks using Cloud DNS response policies for the general use of VPC Service Controls. You don't have to set up a managed private zone to configure DNS when using Cloud DNS. Response policies use pass-thru behavior to accept names past the wildcard name in the example *.googleapis.com, such as www.googleapis.com.

For your VPC networks, you can also employ managed private zones. You can host a DNS zone that is reachable from permitted VPC networks using Cloud DNS private DNS zones. You can utilize the Restricted Google APIs IP addresses to set up forwarding from specific on-premises name servers. 

Setting up Container Registry or Artifact Registry for GKE private clusters

Setting up Container Registry or Artifact Registry for GKE private clusters

In order to use Container Registry or Artifact Registry with a Google Kubernetes Engine private cluster and VPC Service Controls, this section explains how to set up DNS entries.

Only if you haven't already set up routing of the pkg. dev or gcr.io registry domains to restricted.googleapis.com are these steps necessary for your GKE private cluster, which uses Artifact Registry or Container Registry for container storage.

You shouldn't utilize Container Registry or Artifact Registry without the restricted VIP, even though private clusters in service perimeters can. Data can be exfiltrated from a supported service to an unsupported one if the restricted VIP is not used.

Configuring DNS

You must first set up your DNS server such that requests to registry addresses resolve to restricted.googleapis.com, the restricted VIP, in order to support GKE private clusters that use Container Registry or Artifact Registry inside a service perimeter. Utilizing Cloud DNS private DNS zones will let you do this.

  1. Establish a controlled private zone.
     
  2. Start a transaction.
     
  3. Include a CNAME record in the registry.
     
  4. Include a record in A format for the restricted VIP.
     
  5. Carry out the deal.

Configuring the service perimeter

The Container Registry or Artifact Registry service should be added to the list of services you want to protect using the service perimeter after establishing the DNS records. You can create a new service perimeter or update an existing one.

In addition

Add other supported services, including Cloud Build, Container Analysis, and Binary Authorization, that you use with the registry to the service perimeter.

You must additionally include Cloud Storage in the service perimeter for Container Registry.

Making bulk changes to service perimeters

You can bulk update resources that are part of your organization's access policy using Access Context Manager, including access levels and service perimeters. Your resources won't change unless every aspect of the bulk process is successful.

To bulk replace all service perimeters, use the replace-all command.

gcloud beta access-context-manager perimeters replace-all \
  --source-file=FILE \
  --etag=ETAG \
  [--policy=POLICY_NAME]

Diagnosing issues by using the VPC Service Controls troubleshooter

Diagnosing issues by using the VPC Service Controls troubleshooter

The VPC Service Controls logs provide information on requests for protected resources and the justification for the request's denial. However, you can spend a lot of time deciphering the logs because these facts aren't usually immediately visible. Security administrators can use the VPC Service Controls troubleshooter to identify denials coming from a service perimeter.

The troubleshooter can also identify denials from a service perimeter with a dry-run configuration.

The prerequisites are: Make sure you have the VPC Service Controls Troubleshooter Viewer IAM role (roles/accesscontextmanager.vpcScTroubleshooterViewer) in order to debug a VPC Service Controls violation. You cannot change access levels or perimeters in this job.

Accessing the VPC Service Controls troubleshooter

Follow the below steps to access the VPC service controls troubleshooter:

  1. Open the console and go to the Logs Explorer page.
     
  2. To access the log entry in the Logs Explorer, utilize the distinct ID for the denial.
     
  3. Click VPC Service Controls, then click Troubleshoot denial, in the row for the denial you want to troubleshoot in the Query Results box.

Frequently Asked Questions

What other techniques are there for logging into the Google Compute Engine API?

The Google Compute Engine API can be authenticated using various methods like client libraries, OAuth 2.0 usage, and an access token directly.

Describe how elasticity and scalability differ in cloud computing.

By adding new servers or making room for them on the current ones, scalability in the cloud allows you to enhance your capacity to handle more workloads. In order to avoid resource wastage and cut expenses, elasticity is the technique by which you can either add or delete virtual machines based on necessity.

In the context of Google Cloud, what are projects?

All of the Google Compute resources are contained in projects. They are not designed for resource sharing and make up the universe of compartments. Projects may be used by and owned by several parties.

Conclusion

To conclude this article, we discussed VPC Service Controls, its supported products and limitations, access control with IAM, Configuring ingress and egress policies, and the creation of service perimeter and perimeter bridge. We also discussed Setting up private connectivity to Google APIs and services, Container Registry, or Artifact Registry for GKE private clusters. In the last, we made bulk changes to service perimeters and Diagnosed issues using the VPC Service Controls troubleshooter.

For more content, Refer to our guided paths on Coding Ninjas Studio to upskill yourself.

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Thankyou
Live masterclass