Enforce certificate-based access with VPC Service Controls
Stay organized with collections
Save and categorize content based on your preferences.
To protect Google Cloud services in your projects and mitigate the risk of data
exfiltration, you can specify VPC Service Controls service perimeters at an
organization, folder, or project level. Applying a service perimeter provides
you with fine-grained control over the ingress policy as well as which services
and resources to protect.
Applying a CBA ingress policy to service perimeters
Applying CBA access levels to service perimeters allows you to grant access to
perimeter-protected resources from only trusted devices. For more information
about creating a CBA access level, see Create access levels for certificate-based access.
The following diagram illustrates a basic example of restricting access to
Cloud Storage sensitive data from unknown devices by associating a CBA access
level with a service perimeter:
To apply a CBA ingress policy to a service perimeter, complete the following steps:
In the Google Cloud console navigation menu, click Security, and then click
VPC Service Controls.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enforce certificate-based access with VPC Service Controls\n\nTo protect Google Cloud services in your projects and mitigate the risk of data\nexfiltration, you can specify VPC Service Controls service perimeters at an\norganization, folder, or project level. Applying a service perimeter provides\nyou with fine-grained control over the ingress policy as well as which services\nand resources to protect.\n\nFor more information about the benefits of service perimeters, see [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nApplying a CBA ingress policy to service perimeters\n---------------------------------------------------\n\nApplying CBA access levels to service perimeters allows you to grant access to\nperimeter-protected resources from only trusted devices. For more information\nabout creating a CBA access level, see [Create access levels for certificate-based access](/chrome-enterprise-premium/docs/create-cba-access-levels).\n\nThe following diagram illustrates a basic example of restricting access to\nCloud Storage sensitive data from unknown devices by associating a CBA access\nlevel with a service perimeter:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nTo apply a CBA ingress policy to a service perimeter, complete the following steps:\n\n1. In the Google Cloud console navigation menu, click **Security** , and then click\n **VPC Service Controls**.\n\n [Go to the VPC Service Controls page](https://console.cloud.google.com/security/service-perimeter)\n2. On the **VPC Service Controls** page, in the table, click the name of\n the service perimeter that you want to modify.\n\n3. On the **Edit VPC Service Perimeter** page, click **Access Levels**.\n\n4. For the **Choose Access Level**, select the CBA access level.\n\n5. Click **Save**."]]
