CoursesGCP securityNetwork & VPC Service Controls

VPC Service Controls

Perimeters that stop credentialed data exfiltration.

Expert35 min · lesson 6 of 15

VPC Service Controls is the GCP-specific control with no direct AWS analog, and it addresses a threat IAM alone cannot: a valid credential being used to copy data out of your managed services. If you run sensitive data in Cloud Storage or BigQuery, this is one of the highest-value controls you can deploy.

A perimeter around the data plane

VPC Service Controls draws a service perimeter around the APIs of a set of projects — Cloud Storage, BigQuery, and dozens more. Requests to those APIs are allowed only from inside the perimeter (or from explicitly permitted sources via access levels and ingress/egress rules). Even a principal with full IAM permission on a bucket cannot copy its data to a project outside the perimeter, because the perimeter blocks the cross-boundary API call regardless of the grant. It closes the "stolen token exfiltrates to attacker’s project" path that IAM cannot.

a perimeter with an access level
# An access level: only requests from the corporate IP range qualify.
# (defined in an access policy, referenced by the perimeter)
# The perimeter around the payments project's storage + bigquery APIs:
gcloud access-context-manager perimeters create payments-perimeter \
--title="payments" --resources=projects/PAYMENTS_NUM \
--restricted-services=storage.googleapis.com,bigquery.googleapis.com \
--access-levels=corp_network
# A leaked token used from outside the corp network / perimeter cannot read the data.

Roll it out without an outage

A perimeter can break legitimate cross-project data flows, so never enforce blind. Start in dry-run mode, which logs every request the perimeter would block without actually blocking it; review those logs, add ingress/egress rules and access levels for the legitimate flows, and only then enforce. Combine the perimeter with access levels (device posture, IP, identity) so access is conditioned on context, not just credentials.

How a service perimeter stops exfiltration
1stolen credential
has IAM permission on the bucket
2API call to copy data out
to a project outside the perimeter
3perimeter check
source not permitted → blocked
4exfiltration prevented
IAM would have allowed it
VPC-SC guards the managed-API data plane. It is the control that stops a valid token from walking data out the door.
Enforce a perimeter only after dry-run
A perimeter enforced without dry-run will silently break legitimate cross-project analytics and pipelines, causing an outage that looks like a bug. Always run in dry-run first, reconcile the logged would-be-blocks into ingress/egress rules, then flip to enforced.