This page provides an overview of VPC Service Controls, a Google Cloud feature that integrates with AlloyDB to secure data and resources.
VPC Service Controls helps mitigate the risk of data exfiltration from AlloyDB instances. You can use VPC Service Controls to create service perimeters that protect the resources and data of services that you explicitly specify.
For a general overview of VPC Service Controls, its security benefits, and its capabilities across Google Cloud products, see Overview of VPC Service Controls.
Before you begin
In the Google Cloud console, go to the Project Selector page.
- Select or create a Google Cloud project.
- Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
- Enable the Compute Engine API.
- Enable the Service Networking API.
- Add the Identity and Access Management (IAM) roles to the user or service account you are using to set up and administer VPC Service Controls. For more information, see IAM Roles for Administering VPC Service Controls.
- Review limitations when using VPC Service Controls with AlloyDB.
How to secure AlloyDB service using VPC Service Controls
Before you begin, review Overview of VPC Service Controls and AlloyDB limitations when using VPC Service Controls.
Configuring VPC Service Controls for an AlloyDB project includes the following steps:
Create and manage a service perimeter.
First, you select the AlloyDB project that you want the VPC service perimeter to protect, and then you create and manage the service perimeter.
Create and manage access levels.
Optionally, to permit external access to protected resources inside a perimeter, you can use access levels. Access levels apply only to requests for protected resources coming from outside the service perimeter. You can't use access levels to give protected resources or VMs permission to access data and services outside the perimeter.
Create and manage a service perimeter
To create and manage a service perimeter, complete the following steps:
Select the AlloyDB project that you want the VPC service perimeter to protect.
Create a service perimeter by following the instructions in Creating a service perimeter.
Add more instances to the service perimeter. To add existing AlloyDB instances to the perimeter, follow the instructions in Updating a service perimeter.
Add APIs to the service perimeter. To mitigate the risk of your data being exfiltrated from AlloyDB, you must restrict AlloyDB API, Compute Engine API, Cloud Storage API, Container Registry API, Certificate Authority Service API, and Cloud KMS API. For more information, see access-context-manager perimeters update.
To add APIs as restricted services:
Console
- In the Google Cloud console, go to the VPC Service Controls page.
- In the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
- Click Edit.
- In the Edit VPC Service Perimeter page, click Add Services.
- Add AlloyDB API, Compute Engine API, Cloud Storage API, Container Registry API, Certificate Authority Service API, and Cloud KMS API.
- Click Save.
gcloud
gcloud access-context-manager perimeters update PERIMETER_ID \ --policy=POLICY_ID \ --add-restricted-services=alloydb.googleapis.com,compute.googleapis.com,storage.googleapis.com, containerregistry.googleapis.com,privateca.googleapis.com,cloudkms.googleapis.com
- PERIMETER_ID: The ID of the perimeter or the fully qualified identifier for the perimeter.
- POLICY_ID: The ID of the access policy.
If you enabled enhanced query insights, add the
databaseinsights.googleapis.com
API to the service perimeter as a restricted service:Console
- In the Google Cloud console, go to the VPC Service Controls page.
- In the VPC Service Controls page, in the table, click the name of the service perimeter that you want to modify.
- Click Edit.
- In the Edit VPC Service Perimeter page, click Add Services.
- Add databaseinsights.googleapis.com.
- Click Save.
gcloud
gcloud access-context-manager perimeters update PERIMETER_ID \ --policy=POLICY_ID \ --add-restricted-services=databaseinsights.googleapis.com
- PERIMETER_ID: The ID of the perimeter or the fully qualified identifier for the perimeter.
- POLICY_ID: The ID of the access policy.
Create and manage access levels
To create and manage access levels, follow the instructions in Allowing access to protected resources from outside a perimeter.