Introduction to VPC Service Controls (VPC SC)
While IAM controls who has access to resources, VPC Service Controls (VPC SC) controls where that access is allowed from and where the data can go. It creates a security perimeter around Google Cloud resources to mitigate data exfiltration risks.
For a Professional Cloud Security Engineer (PSE), VPC SC is the "last line of defense." Even if a service account key is stolen, if the attacker is outside the perimeter, they cannot use that key to access the protected data.
白話文解釋(Plain English Explanation)
Analogy 1: The Embassy Compound
Think of a Service Perimeter as an embassy compound sitting inside a foreign country. The embassy controls which projects (rooms) are inside the fence and which APIs (services like storage.googleapis.com and bigquery.googleapis.com) are "diplomatic property." Even if a thief steals a guard's keys (a service account credential), they cannot use those keys at the gate unless they come from an approved address — an Access Level matching their IP, device posture, or identity. The guard does not care that the key is valid; if the request comes from the wrong street, it is rejected at the perimeter with a RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER violation.
Analogy 2: The Hotel Safe with a Bypass Tunnel
GCS and BigQuery without VPC SC are like a hotel safe — IAM is the combination lock. But if a guest copies the combination and walks out the front door with the cash, the safe did its job and the hotel still lost. VPC SC is the lobby metal detector plus security cameras: even with a valid combination, you cannot carry the cash through the lobby to an unauthorized exit. The restricted VIP at 199.36.153.4/30 (restricted.googleapis.com) is the dedicated service elevator — only on-premises traffic routed through that VIP is allowed to reach restricted APIs over Private Google Access.
Analogy 3: Fire Drill vs. Real Fire (Dry-run vs. Enforced)
Dry-run mode is a fire drill — alarms record everyone who would have been blocked (spec config), but the doors stay unlocked so business continues. Enforced mode (status config) is the real fire — doors actually lock and the request fails with ACCESS_DENIED. You always run the drill first for 7–14 days, scan the Policy Denied logs for vpcServiceControlsUniqueId, identify legitimate traffic, write Ingress/Egress rules for it, and only then promote spec to status.
Defining Service Perimeters and Boundaries
A Service Perimeter is a logical boundary that you can apply at the organization or folder level. You add projects to the perimeter and specify which Google Cloud services (APIs) are restricted.
Key Components:
- Protected Projects: Projects within the perimeter. Communication between these projects is allowed by default.
- Restricted Services: Specific APIs (e.g.,
storage.googleapis.com,bigquery.googleapis.com) that are "locked down" by the perimeter. - Access Levels: Conditions (defined in Access Context Manager) under which access from outside the perimeter is permitted.
VPC Service Controls (VPC SC) is a security feature that allows you to define a security perimeter around Google Cloud resources to mitigate data exfiltration risks.
Restricted Services (Storage, BigQuery, KMS)
When you restrict a service, VPC SC intercepts calls to that service's API. If the call originates from outside the perimeter and doesn't meet an allowed ingress rule, it is blocked.
Commonly restricted services include:
- Cloud Storage (GCS): Prevents copying data to buckets outside the perimeter.
- BigQuery: Prevents exporting data to unauthorized datasets.
- Cloud KMS: Ensures keys are only used by authorized entities within the boundary.
- Cloud SQL, Vertex AI, and Pub/Sub.
VPC SC protects APIs, not just network traffic. It is effective even against users with legitimate IAM permissions who are attempting to move data to an unauthorized location.
Protecting against Data Exfiltration
VPC SC is primarily designed to prevent two types of data exfiltration:
- Access from unauthorized locations: An attacker uses stolen credentials from the public internet.
- Copying data to unauthorized resources: A malicious insider attempts to copy data from a protected GCS bucket to a bucket they own in a different organization.
Dry-run Mode for Perimeter Changes
Configuring VPC SC is notorious for "breaking" applications if not done carefully. Dry-run mode allows you to test perimeter changes without actually enforcing them.
- Enforced Mode (
statusconfig): Violations result in anACCESS_DENIEDerror and the request is blocked. - Dry-run Mode (
specconfig): Violations are logged in Cloud Logging with adryRun: trueflag, but the request is still allowed.
A perimeter resource holds both a status block (live policy) and a spec block (proposed policy). You iterate on spec until logs are clean, then call accesscontextmanager.servicePerimeters.commit to promote spec into status.
The restricted VIP 199.36.153.4/30 (resolved via restricted.googleapis.com) is the on-prem-friendly endpoint that enforces VPC SC even for hybrid traffic. Route your Private Google Access DNS for *.googleapis.com to this VIP from on-premises via Cloud DNS forwarding zones and a Cloud Router; the standard private.googleapis.com (199.36.153.8/30) VIP does not enforce perimeter restrictions for restricted services.
Always use Dry-run mode for at least 7-14 days. Analyze the logs to identify legitimate traffic that would have been blocked and create the necessary Ingress/Egress rules before moving to Enforced mode.
Troubleshooting VPC SC: Troubleshooter
The VPC Service Controls Troubleshooter in the Google Cloud Console is an essential tool.
- Locate the Unique ID of the denial in Cloud Logging (look for
vpcServiceControlsUniqueIdentifier). - Paste the ID into the Troubleshooter.
- The tool identifies which perimeter blocked the request and which specific rule (or lack thereof) caused the denial.
Handling Access from Outside the Perimeter
Sometimes, legitimate entities (users, external services, or CI/CD pipelines) need to access resources inside the perimeter.
1. Ingress Rules
Ingress rules allow access into the perimeter. They can be scoped by:
- Identity: Specific user accounts or service accounts.
- Source: Access Levels (IP ranges, device posture) or specific projects.
- Resource: Specific buckets or datasets.
2. Access Context Manager Integration
As seen in previous topics, ACM Access Levels can be used as a "key" to enter the perimeter. For example, you can allow a developer to access BigQuery only if they are on a managed device.
Perimeter Types: Standard vs. Managed
- Standard Perimeter: You manually add projects and configure services. Most common for custom organizational needs.
- Managed Perimeter (Automation): Often used in multi-tenant environments where perimeters are generated programmatically.
Managing Perimeters across Projects and Folders
VPC SC perimeters are managed at the Organization Level via Access Policies.
- A project can only belong to one service perimeter.
- You can use Perimeter Bridges (Topic 13) to allow communication between different perimeters.
Logs and Diagnostic Information
VPC SC generates audit logs for every denial.
- Log Name:
cloudaudit.googleapis.com/policy(Policy Denied audit log) ordata_access. - Filter:
protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" AND protoPayload.status.code=7 - Payload: Look for
protoPayload.metadata.vpcServiceControlsUniqueId(the unique ID to paste into the Troubleshooter) andprotoPayload.metadata.violationReason.
Common violationReason values
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER— Cross-perimeter call (e.g., a Dataflow job in perimeter A reading a GCS bucket in perimeter B). Fix with a Perimeter Bridge or Ingress/Egress rule.NO_MATCHING_ACCESS_LEVEL— Caller is outside the perimeter and no Ingress rule's Access Level matched their IP, device, or identity. Fix with an ACM Access Level + Ingress rule.SERVICE_NOT_ALLOWED_FROM_VPC— A VPC inside the perimeter tried to call a restricted API but that API is not in therestrictedServices(or VPC accessible services) list. Fix by adding the service or viaVPCAccessibleServices.
VPC SC denial triage cheat sheet:
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER→ cross-perimeter; add Bridge or Ingress/Egress rule.NO_MATCHING_ACCESS_LEVEL→ external caller; create ACM Access Level + Ingress rule.SERVICE_NOT_ALLOWED_FROM_VPC→ service missing fromrestrictedServices/VPCAccessibleServices.
Always grab vpcServiceControlsUniqueId from the Policy Denied log first, then feed it to the Troubleshooter — never guess.
VPC SC does not apply to traffic within a project unless the service is restricted. It primarily guards the "API edge."
PSE Exam Scenarios
Scenario 1: Preventing Cross-Org Data Transfer
"A security engineer needs to prevent employees from using the gsutil cp command to move data from a sensitive project to a personal GCS bucket. How should this be configured?"
Answer: Create a Service Perimeter around the sensitive project. Restrict the Cloud Storage API. Ensure that no Egress rules allow traffic to the "personal" organization.
Scenario 2: Troubleshooting a Broken Pipeline
"After enforcing a perimeter, a Jenkins server located on-premises can no longer upload build artifacts to GCS. What should the engineer check?"
Answer: Check the Cloud Audit Logs for a VPC SC denial. Find the vpcServiceControlsUniqueIdentifier. Use the VPC SC Troubleshooter. If the source is the Jenkins IP, create an ACM Access Level for that IP and add it to an Ingress Rule in the perimeter.
Summary Checklist
- Define the difference between IAM and VPC SC.
- List three services commonly protected by VPC SC.
- Explain the benefit of Dry-run mode.
- Identify the tool used to analyze VPC SC denials.
- Describe how Ingress rules allow external access.