Just recently Google Cloud announced that Google Cloud VMware Engine supports VPC Service Controls. This feature was long awaited by enterprise customers and in my opinion it is a game changer in terms of securing Google Cloud resources. VPC Service Controls (VPC SC) is a Google Cloud feature that allows you to define a security perimeter for your Google Cloud resources. This perimeter limits the exporting and importing of resources and their associated data to within the defined perimeter. In the next section of the post I will explain why is this important and how can we use it.
VPC Service Control (VPC-SC)
VPC SC works by creating a set of rules that define which Google Cloud services can be accessed from within the perimeter. These rules can be based on the identity of the requester, the requester’s location, and the requester’s device. VPC SC can be used to protect all customer Google Cloud resources, including Compute Engine, Kubernetes Engine, Cloud Storage, and BigQuery. It can also be used to protect on-premises resources that are connected to Google Cloud using Cloud Interconnect or VPN.
Some benefits of VPC-SC:
- It helps to prevent data exfiltration.
- It helps to enforce compliance requirements.
- It makes it easier to manage access to Google Cloud resources.
- It can be used to protect on-premises resources.
How to use VPC-SC?
We can use VPC-SC both from Cloud Console and using APIs. You can choose whatever works for you the best. In short word what we need to do is to add project that we want to protect and which services we want to protect. The procedure is well described in Google Cloud documentation accesible here.
In my opinion this announcement is a big deal for customers who want to ensure that Google Cloud VMware Engine is protected as well on cloud levels.