Enforce certificate-based access with VPC Service Controls
Stay organized with collections
Save and categorize content based on your preferences.
To protect Google Cloud services in your projects and mitigate the risk of data
exfiltration, you can specify VPC Service Controls service perimeters at an
organization, folder, or project level. Applying a service perimeter provides
you with fine-grained control over the ingress policy as well as which services
and resources to protect.
Applying a CBA ingress policy to service perimeters
Applying CBA access levels to service perimeters allows you to grant access to
perimeter-protected resources from only trusted devices. For more information
about creating a CBA access level, see Create access levels for certificate-based access.
The following diagram illustrates a basic example of restricting access to
Cloud Storage sensitive data from unknown devices by associating a CBA access
level with a service perimeter:
To apply a CBA ingress policy to a service perimeter, complete the following steps:
In the Google Cloud console navigation menu, click Security, and then click
VPC Service Controls.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["VPC Service Controls service perimeters can be implemented at the organization, folder, or project level to enhance Google Cloud service protection and prevent data exfiltration."],["Service perimeters enable detailed control over ingress policies, allowing you to specify the services and resources that require protection."],["By applying CBA access levels to service perimeters, you can ensure that only trusted devices have access to resources protected by the perimeter."],["You can associate a CBA access level with a service perimeter to restrict access to sensitive data, such as Cloud Storage, from unauthorized devices."],["Modifying a service perimeter and specifying a CBA access level can be done through the VPC Service Controls page in the Google Cloud console."]]],[]]