Google Cloud Virtual Private Cloud (VPC) Service Controls lets you set up a secure perimeter to guard against data exfiltration. Configure Cloud Quotas with VPC Service Controls so that API requests to Cloud Quotas stay within the VPC service perimeter boundary.
Limitations
Because VPC Service Controls enforces boundaries at the project level, Cloud Quotas requests that originate from clients within the perimeter can only access organization resources if the organization sets up an egress rule. To set up an egress rule, see the VPC Service Controls instructions for configuring ingress and egress policies.
Enforced actions
VPC Service Controls is only enforced on the following Cloud Quotas actions:
- Quota preference creation, update, get and list.
- Quota info get and list.
For examples of setting
QuotaPreference and
QuotaInfo, see the description of
the API resource model.
For reference information, see the
REST API overview.
Set up
Follow these steps to restrict the Cloud Quotas API to your VPC service perimeter:
Follow the instructions to set up the Cloud Quotas API.
Follow the VPC Service Controls Quickstart to complete the following tasks:
- Create a service perimeter.
- Add projects to the perimeter that you want to protect.
- Restrict the Cloud Quotas API. For example, see these instructions that add other Google Cloud APIs to the VPC service perimeter.
After setting up your service perimeter, VPC Service Controls checks calls to the Cloud Quotas API to help make sure that the calls originate from within the same perimeter.
What's next
- Learn about VPC Service Controls.
- See the Cloud Quotas entry in the VPC Service Controls supported products table.
- Refer to the description of the Cloud Quotas API resource model for examples.