Stay organized with collections
Save and categorize content based on your preferences.
Configure VPC Service Controls for Assured Workloads
Overview
Assured Workloads helps you comply with different regulatory compliance
frameworks by implementing logical controls that segment networks and users from
in-scope sensitive data. Many of the US compliance frameworks are built upon
NIST SP 800-53 Rev. 5,
but have their own particular controls based on the sensitivity of the
information and the framework's governing body. For customers who must comply
with FedRAMP High
or DoD IL4, we
recommend that you use VPC Service Controls to create a strong boundary around
the regulated environment.
VPC Service Controls provides an extra layer of security defense for Google Cloud
services that is independent of Identity and Access Management (IAM). While
Identity and Access Management enables granular identity-based access control, VPC Service Controls
enables broader context-based perimeter security, such as controlling data
ingress and egress across the perimeter. The controls VPC Service Controls are a
logical boundary around Google Cloud APIs that are managed at the
organization level
and applied and enforced at the
project level.
For a high-level overview of VPC Service Controls benefits and configuration
stages, please see the
VPC Service Controls overview. For
more information about the regulatory guidance, see
Control ID SC-7.
If you want to configure external access to your protected services when you
create your perimeter, first
create one or more access levels
before you create the perimeter.
Configure VPC Service Controls for Assured Workloads
To configure VPC Service Controls, you can use the Google Cloud console, the
Google Cloud CLI (gcloud CLI), or the
Access Context Manager APIs. The
following steps show you how to use the Google Cloud console.
Console
In the Google Cloud console navigation menu, click Security, and then
click VPC Service Controls.
If you are prompted, select your organization, folder, or project.
On the VPC Service Controls page, select the Dry run mode. While you
can create in either a Dry run mode or an Enforced mode, we recommend
using the Dry run mode first for either a new or updated service
perimeter. Dry run mode will also allow you to create a test run of your
new service perimeter to see how it performs before you choose to enforce
it within your environment.
Click New perimeter.
On the New VPC Service Perimeter page, in the Perimeter Name box,
type a name for the perimeter.
In the Details tab, select the desired perimeter type and configuration
type.
In the Projects tab, select the projects that you want to include
within the service perimeter boundary. For your IL4 workloads, these should
be the projects that are within your Assured Workloads IL4 folder.
In the Restricted Services tab, add services to include within the
service perimeter boundary. You should only select services that are in
scope for your Assured Workloads folder.
(Optional) In the VPC Accessible Services tab, you can further restrict
services within your service perimeter from communicating with each other.
Assured Workloads will implement
Service Usage Restrictions
as a guardrail to ensure that services scoped to Assured Workloads
can be deployed within your Assured Workloads folder. If you have
overridden these controls, then you may need to implement
VPC Accessible Services to restrict non-Assured Workloads
services from communicating with your workloads.
Click Ingress Policy to set one or more rules that specify the
direction of allowed access from different identities and resources.
Access levels only apply
to requests for protected resources coming from outside the service
perimeter. Access levels cannot be used to permit protected resources or
VMs to access data and services outside the perimeter. You can to assign
an identity different service methods to specific services in order to
transfer regulated data into your workload's service perimeter.
(Optional) Click Egress Policy to set one or more rules that specify
the direction of allowed access to different identities and resources.
Access levels only apply to
requests from protected resources to services outside the service
perimeter.
Click Save.
Use VPC Service Controls with Terraform
You can use the Terraform to synchronize your Assured Workloads folder
with a VPC Service Controls permit if you want your Assured Workloads
regulated boundary to be aligned with your VPC Service Controls boundary. For more
information, see the
Automatically Secured Folder Terraform example on GitHub.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eVPC Service Controls provide an additional security layer for Google Cloud services, independent of Identity and Access Management (IAM), by enabling context-based perimeter security.\u003c/p\u003e\n"],["\u003cp\u003eAssured Workloads helps users comply with regulatory frameworks, such as FedRAMP High and DoD IL4, by implementing controls that segment sensitive data, and VPC Service Controls is recommended to create a strong boundary around these regulated environments.\u003c/p\u003e\n"],["\u003cp\u003eVPC Service Controls manages a logical boundary around Google Cloud APIs at the organization level and enforces them at the project level, with the ability to control data ingress and egress across the perimeter.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring VPC Service Controls can be done via the Google Cloud console, gcloud CLI, or Access Context Manager APIs, with the recommendation to initially use the Dry run mode to test new or updated service perimeters.\u003c/p\u003e\n"],["\u003cp\u003eService perimeters can be configured to include specific projects and services, and to further restrict communication between services within the perimeter through VPC Accessible Services, as well as through ingress and egress policies.\u003c/p\u003e\n"]]],[],null,["# Configure VPC Service Controls for Assured Workloads\n====================================================\n\nOverview\n--------\n\nAssured Workloads helps you comply with different regulatory compliance\nframeworks by implementing logical controls that segment networks and users from\nin-scope sensitive data. Many of the US compliance frameworks are built upon\n[NIST SP 800-53 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final),\nbut have their own particular controls based on the sensitivity of the\ninformation and the framework's governing body. For customers who must comply\nwith [FedRAMP High](/assured-workloads/docs/control-packages#fedramp-high)\nor [DoD IL4](/assured-workloads/docs/control-packages#il4), we\nrecommend that you use VPC Service Controls to create a strong boundary around\nthe regulated environment.\n\nVPC Service Controls provides an extra layer of security defense for Google Cloud\nservices that is independent of Identity and Access Management (IAM). While\nIdentity and Access Management enables granular identity-based access control, VPC Service Controls\nenables broader context-based perimeter security, such as controlling data\ningress and egress across the perimeter. The controls VPC Service Controls are a\nlogical boundary around Google Cloud APIs that are managed at the\n[organization level](/resource-manager/docs/cloud-platform-resource-hierarchy#organizations)\nand applied and enforced at the\n[project level](/resource-manager/docs/cloud-platform-resource-hierarchy#projects).\nFor a high-level overview of VPC Service Controls benefits and configuration\nstages, please see the\n[VPC Service Controls overview](/vpc-service-controls/docs/overview#benefits). For\nmore information about the regulatory guidance, see\n[Control ID SC-7](https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#/control?version=5.1&number=SC-7).\n\nBefore you begin\n----------------\n\n- Ensure that you've read and understand the purpose and usage of [VPC Service Controls](/vpc-service-controls/docs/overview) and its [service perimeters](/vpc-service-controls/docs/service-perimeters).\n- Read about how access control in [VPC Service Controls works with IAM](/vpc-service-controls/docs/access-control).\n- If you want to configure external access to your protected services when you create your perimeter, first [create one or more access levels](/access-context-manager/docs/create-access-level) before you create the perimeter.\n- Ensure that the Google Cloud services and their resources are [in scope for IL4](/security/compliance/disa) or [in scope for FedRAMP High](/security/compliance/fedramp) and are [supported by VPC Service Controls](/vpc-service-controls/docs/supported-products).\n\nConfigure VPC Service Controls for Assured Workloads\n----------------------------------------------------\n\nTo configure VPC Service Controls, you can use the Google Cloud console, the\nGoogle Cloud CLI (gcloud CLI), or the\n[Access Context Manager APIs](/access-context-manager/docs/reference/rest). The\nfollowing steps show you how to use the Google Cloud console. \n\n### Console\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to the VPC Service Controls page](https://console.cloud.google.com/security/service-perimeter)\n2. If you are prompted, select your organization, folder, or project.\n\n3. On the **VPC Service Controls** page, select the *Dry run mode* . While you\n can create in either a *Dry run mode* or an *Enforced mode* , we recommend\n using the *Dry run mode* first for either a new or updated service\n perimeter. *Dry run mode* will also allow you to create a test run of your\n new service perimeter to see how it performs before you choose to enforce\n it within your environment.\n\n4. Click **New perimeter**.\n\n5. On the **New VPC Service Perimeter** page, in the **Perimeter Name** box,\n type a name for the perimeter.\n\n6. In the **Details** tab, select the desired perimeter type and configuration\n type.\n\n7. In the **Projects** tab, select the projects that you want to include\n within the service perimeter boundary. For your IL4 workloads, these should\n be the projects that are within your Assured Workloads IL4 folder.\n\n | **Note:** At this time, you can only select projects (and not folders) when setting up a service perimeter.\n8. In the **Restricted Services** tab, add services to include within the\n service perimeter boundary. You should only select services that are in\n scope for your Assured Workloads folder.\n\n9. (Optional) In the **VPC Accessible Services** tab, you can further restrict\n services within your service perimeter from communicating with each other.\n Assured Workloads will implement\n [Service Usage Restrictions](/assured-workloads/docs/restrict-resource-usage)\n as a guardrail to ensure that services scoped to Assured Workloads\n can be deployed within your Assured Workloads folder. If you have\n overridden these controls, then you may need to implement\n *VPC Accessible Services* to restrict non-Assured Workloads\n services from communicating with your workloads.\n\n10. Click **Ingress Policy** to set one or more rules that specify the\n direction of allowed access from different identities and resources.\n [Access levels](/vpc-service-controls/docs/use-access-levels) only apply\n to requests for protected resources coming from outside the service\n perimeter. Access levels cannot be used to permit protected resources or\n VMs to access data and services outside the perimeter. You can to assign\n an identity different service methods to specific services in order to\n transfer regulated data into your workload's service perimeter.\n\n11. (Optional) Click **Egress Policy** to set one or more rules that specify\n the direction of allowed access to different identities and resources.\n [Access levels](/vpc-service-controls/docs/use-access-levels) only apply to\n requests from protected resources to services outside the service\n perimeter.\n\n12. Click **Save**.\n\nUse VPC Service Controls with Terraform\n---------------------------------------\n\nYou can use the Terraform to synchronize your Assured Workloads folder\nwith a VPC Service Controls permit if you want your Assured Workloads\nregulated boundary to be aligned with your VPC Service Controls boundary. For more\ninformation, see the\n[Automatically Secured Folder Terraform example on GitHub](https://github.com/terraform-google-modules/terraform-google-vpc-service-controls/tree/master/examples/automatic_folder).\n\nWhat's next\n-----------\n\n- Learn about the [FedRAMP High control package](/assured-workloads/docs/control-packages#fedramp-high).\n- Learn about the [IL4 control package](/assured-workloads/docs/control-packages#il4)."]]
