Skip to content

VPC Security


  • Firewall rules are stateful
  • Implied deny all ingress and allow all egress

Rule Fields

Field Description
  • Inbound connections: matched against ingress rules only
  • Outbound connections: matched against egress rules only
  • Target:
    • All instances in the network
    • Specified target tags
    • Specified Service Accounts
  • Source:
    • IP ranges
    • Subnets
    • Source tags
    • Service Accounts
  • Can be applied to any rule
  • allow or deny
  • Lower number indicates a higher priority
  • The 1st matching rule is applied
Rule Assignment
  • All rules are assigned to all instances
  • It is possible to assign certain rules to certain instances only
Traffic that is always blocked
  • All GRE traffic, unless explicitly allowed through protocol forwarding
  • Protocols other than TCP, UDP, ICMP, ESP, AH, SCTP, and IPIP:
    • Between instances and the Internet
    • Between instances if they are addressed with external IP addresses
    • Between instances if a load balancer with an external IP address is involved
  • Egress traffic on TCP port 25 (SMTP traffic) to the Internet or any instance external IP address
  • Egress traffic on TCP port 465 or 587 (SMTP over TLS) to the Internet or any instance external IP address except to known Google SMTP servers
Hierarchical firewall policies
  • Hierarchical firewall policy rules can delegate evaluation to lower-level policies or VPC network firewall rules with a goto_next action
  • Lower-level rules cannot override a rule from a higher place in the resource hierarchy

VPC Flow Logs

  • Record network flows sent from or received by VM instances
  • Use for network monitoring, forensics, real-time security analysis, and expense optimization

VPC Service Controls

  • Unauthorized access using stolen credentials
  • Data exfiltration and compromised code
  • Public exposure of private data
Feature Description
Prevent access to Google-managed services outside of a trusted perimeter
  • While Cloud IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress across the perimeter
  • Protect resources within a perimeter so they can only be privately accessed from clients within authorized VPC networks using Private Google Access
  • Ensure clients within a perimeter that have private access to resources do not have access to unauthorized (potentially public) resources outside the perimeter
  • Prevent data from being copied to unauthorized resources outside the perimeter using service operations
Extend communication from cloud resources to an on-premises environment
  • Private Google Access on-premises extensions allow private communication between VPC networks that span hybrid cloud environments
  • VPC networks must be part of a service perimeter for VMs on that network to privately access managed Google Cloud resources within that service perimeter
  • VMs with private IPs on a VPC network that is part of a service perimeter cannot access managed resources outside the service perimeter
    • For example, a VM within a VPC network that is part of a service perimeter can privately access a Cloud Storage bucket in the same service perimeter, but the VM will be denied access to Cloud Storage buckets that are outside of it
Restrict access to resources from the Internet by creating custom attribute-based access levels
  • Access from the internet to managed resources within a service perimeter is denied by default
  • You can enable access based on the context of the request by creating access levels that control access based on a number of attributes, such as the source IP address
Perimeter bridges can be used to enable communication between projects in different service perimeters

Access Context Manager

  • Defines fine-grained attribute based controls for projects and resources
  • Allows to define fine-grained, attribute based access control for projects and resources in Google Cloud
  • Administrators define an access policy, which is an organization-wide container for organizing access levels and service perimeters
  • Access Context Manager isn't responsible for policy enforcement
  • Its purpose is to describe the desired rules
  • Access policy is configured and enforced across various points, including through VPC Service Controls
  • Create an access policy
    • Collects service perimeters and access levels
    • Requirements may include:
      • Device type and operating system
      • IP address
      • User identity
  • Secure Cloud resources with service perimeters.
  • Set up private connectivity from a VPC network
  • Grant access from the outside using access levels