GCPcloud~5 mins

VPC Service Controls in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

VPC Service Controls help protect your Google Cloud services by creating a secure boundary around them. This stops data from being accessed or moved outside your trusted network, reducing the risk of data leaks.

When you want to keep sensitive data inside your company network and prevent it from being accessed from outside.

When you use Google Cloud services like Cloud Storage or BigQuery and want to add extra protection around them.

When you need to control which projects or users can access your cloud services based on network boundaries.

When you want to reduce the risk of data theft or accidental exposure from misconfigured permissions.

When you want to enforce security policies that limit data movement between different environments.

Config File - access_policy.yaml

access_policy.yaml

accessPolicies:
- name: accessPolicies/123456789
  title: example-access-policy
  scopes:
  - organizations/123456789
  servicePerimeters:
  - name: accessPolicies/123456789/servicePerimeters/example-perimeter
    title: example-perimeter
    perimeterType: PERIMETER_TYPE_REGULAR
    status:
      resources:
      - projects/123456789012
      restrictedServices:
      - storage.googleapis.com
      - bigquery.googleapis.com
      accessLevels:
      - accessPolicies/123456789/accessLevels/example-level
accessLevels:
- name: accessPolicies/123456789/accessLevels/example-level
  title: example-level
  basic:
    conditions:
    - ipSubnetworks:
      - 192.168.1.0/24
      - 10.0.0.0/16
      members:
      - user:alice@example.com

This YAML file defines an access policy for VPC Service Controls.

accessPolicies: The main container for your security boundaries.
servicePerimeters: Defines the secure boundary around specific projects and services.
restrictedServices: Lists Google Cloud services protected by the perimeter.
accessLevels: Specifies who and from where can access the services inside the perimeter.

Commands

List all access policies in your organization to find the policy ID needed for creating service perimeters.

Terminal

gcloud access-context-manager policies list

Expected OutputExpected

NAME TITLE 123456789 example-access-policy

Create a service perimeter named 'example-perimeter' around the specified project and restrict access to Cloud Storage and BigQuery services.

Terminal

gcloud access-context-manager perimeters create example-perimeter --policy=123456789 --title="example-perimeter" --resources=projects/123456789012 --restricted-services=storage.googleapis.com,bigquery.googleapis.com --perimeter-type=regular

Expected OutputExpected

create: Operation completed successfully.

→

--policy - Specifies the access policy ID to use.

→

--resources - Defines which projects are inside the perimeter.

→

--restricted-services - Lists the Google Cloud services protected by the perimeter.

Check the details of the created service perimeter to verify its configuration.

Terminal

gcloud access-context-manager perimeters describe example-perimeter --policy=123456789

Expected OutputExpected

name: accessPolicies/123456789/servicePerimeters/example-perimeter title: example-perimeter perimeterType: PERIMETER_TYPE_REGULAR status: resources: - projects/123456789012 restrictedServices: - storage.googleapis.com - bigquery.googleapis.com

→

--policy - Specifies the access policy ID to query.

Create an access level that allows only user alice@example.com from specific IP ranges to access resources inside the perimeter.

Terminal

gcloud access-context-manager access-levels create example-level --policy=123456789 --title="example-level" --basic-ip-subnetworks=192.168.1.0/24,10.0.0.0/16 --basic-members=user:alice@example.com

Expected OutputExpected

create: Operation completed successfully.

→

--basic-ip-subnetworks - Defines allowed IP address ranges.

→

--basic-members - Specifies allowed user identities.

Key Concept

If you remember nothing else from this pattern, remember: VPC Service Controls create a secure boundary around your cloud services to keep data safe inside trusted networks.

Common Mistakes

Not specifying the correct project IDs inside the service perimeter.

The perimeter won't protect the intended resources if projects are missing or incorrect.

Always double-check project IDs and include all relevant projects in the perimeter configuration.

Forgetting to create or attach access levels to control who can access the perimeter.

Without access levels, the perimeter might block all access or allow unintended users.

Define access levels with specific users and IP ranges, then attach them to the perimeter.

Trying to protect unsupported services or misnaming service names in restrictedServices.

The perimeter won't apply restrictions to services not listed or incorrectly named.

Use exact service names from Google Cloud documentation when listing restricted services.

Summary

Use 'gcloud access-context-manager policies list' to find your access policy ID.

Create a service perimeter with 'gcloud access-context-manager perimeters create' to protect projects and services.

Verify perimeter details with 'gcloud access-context-manager perimeters describe'.

Create access levels to specify who and from where can access the perimeter.