VPC Security

Firewall

• Firewall rules are stateful
• Implied deny all ingress and allow all egress

Rule Fields

Field	Description
Direction	Inbound connections: matched against ingress rules only Outbound connections: matched against egress rules only
Target/Source	Target: All instances in the network Specified target tags Specified Service Accounts Source: IP ranges Subnets Source tags Service Accounts
Protocol/Port	Can be applied to any rule
Action	allow or deny
Priority	Lower number indicates a higher priority The 1st matching rule is applied
Rule Assignment	All rules are assigned to all instances It is possible to assign certain rules to certain instances only

Traffic that is always blocked

• All GRE traffic, unless explicitly allowed through protocol forwarding
• Protocols other than TCP, UDP, ICMP, ESP, AH, SCTP, and IPIP:
  • Between instances and the Internet
  • Between instances if they are addressed with external IP addresses
  • Between instances if a load balancer with an external IP address is involved
• Egress traffic on TCP port 25 (SMTP traffic) to the Internet or any instance external IP address
• Egress traffic on TCP port 465 or 587 (SMTP over TLS) to the Internet or any instance external IP address except to known Google SMTP servers

Hierarchical firewall policies

• Hierarchical firewall policy rules can delegate evaluation to lower-level policies or VPC network firewall rules with a goto_next action
• Lower-level rules cannot override a rule from a higher place in the resource hierarchy

VPC Flow Logs

Description

• Record network flows sent from or received by VM instances
• Use for network monitoring, forensics, real-time security analysis, and expense optimization

VPC Service Controls

Description

• Reduces the risk of data exfiltration from services like Cloud Storage and BigQuery
• Creates security perimeters around Google-managed resources and allows to control the movement of data across that perimeter
• See also:
  • Mitigating Data Exfiltration Risks in GCP using VPC Service Controls
  • VPC Service Controls in Plain English

Prevents

• Unauthorized access using stolen credentials
• Data exfiltration and compromised code
• Public exposure of private data

Feature	Description
Prevent access to Google-managed services outside of a trusted perimeter	While Cloud IAM enables granular identity-based access control, VPC Service Controls enables broader context-based perimeter security, including controlling data egress across the perimeter Protect resources within a perimeter so they can only be privately accessed from clients within authorized VPC networks using Private Google Access Ensure clients within a perimeter that have private access to resources do not have access to unauthorized (potentially public) resources outside the perimeter Prevent data from being copied to unauthorized resources outside the perimeter using service operations
Extend communication from cloud resources to an on-premises environment	Private Google Access on-premises extensions allow private communication between VPC networks that span hybrid cloud environments VPC networks must be part of a service perimeter for VMs on that network to privately access managed Google Cloud resources within that service perimeter VMs with private IPs on a VPC network that is part of a service perimeter cannot access managed resources outside the service perimeter For example, a VM within a VPC network that is part of a service perimeter can privately access a Cloud Storage bucket in the same service perimeter, but the VM will be denied access to Cloud Storage buckets that are outside of it
Restrict access to resources from the Internet by creating custom attribute-based access levels	Access from the internet to managed resources within a service perimeter is denied by default You can enable access based on the context of the request by creating access levels that control access based on a number of attributes, such as the source IP address
Perimeter bridges can be used to enable communication between projects in different service perimeters

Access Context Manager

Description

• Defines fine-grained attribute based controls for projects and resources
• Allows to define fine-grained, attribute based access control for projects and resources in Google Cloud

Requirements

• Administrators define an access policy, which is an organization-wide container for organizing access levels and service perimeters
• Access Context Manager isn't responsible for policy enforcement
• Its purpose is to describe the desired rules
• Access policy is configured and enforced across various points, including through VPC Service Controls

Functioning

• Create an access policy
  • Collects service perimeters and access levels
  • Requirements may include:
    • Device type and operating system
    • IP address
    • User identity
• Secure Cloud resources with service perimeters.
• Set up private connectivity from a VPC network
• Grant access from the outside using access levels