Analytics Hub VPC Service Controls rules

This document describes the ingress and egress rules that you need to let publishers and subscribers access data from projects that have VPC Service Controls perimeters. It assumes familiarity with VPC Service Controls perimeters, shared datasets, data exchanges, listings, and linked datasets.

A Caller project is the network or client project that initiates the request, such as a SQL query or a Google Cloud CLI command.

Create a data exchange

In the following diagram, the projects that contain the data exchange and the shared dataset are in different service perimeters:

VPC Service Controls rule when creating a data exchange.

Figure 1. VPC Service Controls rules for creating a data exchange.

In figure 1, the following components are labeled:

  • Caller is an Analytics Hub administrator.
  • Project R is the caller project.
  • Project E hosts the Analytics Hub data exchange and listings.

As an Analytics Hub administrator, when you create a data exchange in a different project than the caller project, then you must add the following ingress and egress rules:

Project Rule
Project R Egress rule for project E
Project E (data exchange) Ingress rule for project R

Create a listing

In the following diagram, the projects that contain the data exchange and the shared dataset are in different service perimeters:

VPC Service Controls rule when creating a listing.

Figure 2. VPC Service Controls rules for creating a listing.

In figure 2, the following components are labeled:

  • Caller is an Analytics Hub administrator or publisher.
  • Project R is the caller project.
  • Project E hosts the Analytics Hub data exchange and listings.
  • Project S hosts the shared dataset.

When you create a listing in a data exchange that is in a different project than the shared dataset, you must add the following ingress and egress rules to allow publishers to create a listing:

Project Rule
Project R

Egress rule for project E

Egress rule for project S

Project E (data exchange)

Egress rule for project S

Ingress rule for project R

Project S (shared dataset)

Egress rule for project E

Ingress rule for project R

Subscribe to a listing

In the following diagram, the projects that contain the listing and the linked dataset for that listing are in different service perimeters:

VPC Service Controls rule when subscribing to a listing.

Figure 3. VPC Service Controls rules for subscribing to a listing.

In figure 3, the following components are labeled:

  • Caller is an Analytics Hub subscriber.
  • Project R is the caller project.
  • Project E hosts the Analytics Hub data exchange and listings.
  • Project L hosts the linked dataset.

As an Analytics Hub subscriber, when you subscribe to a listing in a data exchange that is in a different project than your project, then you must add the following ingress and egress rules:

Project Rule
Project R

Egress rule for project E

Egress rule for project L

Project E (listing)

Egress rule for project L

Ingress rule for project R

Project L (linked dataset)

Egress rule for project E

Ingress rule for project R

Query tables in a linked dataset

In the following diagram, the caller project and the project that contain the linked dataset are in different service perimeters:

VPC Service Controls rule when querying a table in the linked dataset.

Figure 4. VPC Service Controls rules for querying a linked dataset.

In figure 4, the following components are labeled:

  • Caller is an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
  • Project R is the caller project.
  • Project L hosts the linked dataset.
  • Project V hosts the shared dataset that contains the table.

As an Analytics Hub subscriber, when you query a table in the linked dataset, you must add the following ingress and egress rules:

Project Rule
Project R Egress rule for project L
Project L (linked dataset) Ingress rule for project R

Query views in a linked dataset

Scenario 1

In the following diagram, the projects that contain the linked dataset and the base tables associated with the view are in different service perimeters. The view (Project S) and the base table associated with the view (Project V) are in different projects:

view and base tables are in different projects.

Figure 5. VPC Service Controls rules for querying a view in a linked dataset.

In figure 5, the following components are labeled:

  • Caller is an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
  • Project R is the caller project.
  • Project L hosts the linked dataset.
  • Project S hosts the shared dataset.
  • Project V hosts the dataset that contains the base tables associated with the view.

As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

Project Rule
Project R

Egress rule for project L

Egress rule for project V

Project L (linked dataset)

Ingress rule for project R

Egress rule for project V

Project V

Egress rule for project L

Ingress rule for project R

Scenario 2

In the following diagram, the view (Project V) and the base table associated with the view (Project V) are in the same project:

view and base tables are in the same project.

Figure 6. VPC Service Controls rules for querying a view in a linked dataset.

In figure 6, the following components are labeled:

  • Caller is an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
  • Project R is the caller project.
  • Project L hosts the linked dataset.
  • Project V hosts both the view and the base tables associated with the view.

As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

Project Rule
Project R

Egress rule for project L

Project L (linked dataset)

Ingress rule for project R

Query authorized views in a linked dataset

In the following diagram, the authorized view and the base table associated with the authorized view (Project V) are in the same project:

authorized view and base tables are in the same project.

Figure 7. VPC Service Controls rules for querying a view in a linked dataset.

In figure 7, the following components are labeled:

  • Caller is an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
  • Project R is the caller project.
  • Project L hosts the linked dataset.
  • Project V hosts both the authorized view and the base tables associated with the view.

As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

Project Rule
Project R

Egress rule for project L

Project L (linked dataset)

Ingress rule for project R

Limitations

Analytics Hub doesn't support method-based rules. To allow methods, you must allow all methods. For example:

          ingressTo:
            operations:
            - methodSelectors:
              - method: '*'
              serviceName: analyticshub.googleapis.com
            resources:
            - projects/PROJECT_ID

What's next