Stay organized with collections
Save and categorize content based on your preferences.
This page shows you how to protect your Google Cloud NetApp Volumes
volumes with a service perimeter using VPC Service Controls.
VPC Service Controls improve the security of Google Cloud services by creating a
service perimeter that prevents unauthorized data access. This perimeter
protects against accidental or intentional data exfiltration attempts from
external or internal entities. To grant access, you need to add entities to your
perimeter. For more information about VPC Service Controls, see VPC Service Controls overview.
VPC Service Controls protect access to the NetApp Volumes API,
which is used for administrative management of NetApp Volumes
resources. You can't access a volume's content with this API.
Data access to the content of a volume is granted using the NFS or SMB protocol.
The security of data access is protected through volume and file access controls
specific to these protocols which are independent of VPC Service Controls. To
connect to a volume, a NFS or SMB client needs to be connected to the same
network as the volume. For more information, see the following sections:
Add the NetApp Volumes API to your service perimeter.
For instructions on adding a service to your service perimeter, see
Update a service perimeter.
VPC Service Controls limitations
Some features of NetApp Volumes require access to Google
resources within your perimeter. The following features are known to cause
issues when you enable VPC Service Controls.
Customer-managed encryption keys (CMEK): NetApp Volumes
needs access to the KMS key you specified for CMEK. Google Cloud Customer Care
can provide you with the required VPC-SC rules to resolve the issues. You can
open a support case with Google Cloud Customer Care.
Integrated Backup: Google Cloud Customer Care can provide you with the
required VPC-SC rules to resolve the issues. You can open a support case with
Google Cloud Customer Care.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Secure NetApp Volumes with a service perimeter\n\nThis page shows you how to protect your Google Cloud NetApp Volumes\nvolumes with a service perimeter using VPC Service Controls.\n\nVPC Service Controls improve the security of Google Cloud services by creating a\nservice perimeter that prevents unauthorized data access. This perimeter\nprotects against accidental or intentional data exfiltration attempts from\nexternal or internal entities. To grant access, you need to add entities to your\nperimeter. For more information about VPC Service Controls, see [VPC Service Controls overview](/vpc-service-controls/docs/overview).\n\nVPC Service Controls protect access to the NetApp Volumes API,\nwhich is used for administrative management of NetApp Volumes\nresources. You can't access a volume's content with this API.\n\nData access to the content of a volume is granted using the NFS or SMB protocol.\nThe security of data access is protected through volume and file access controls\nspecific to these protocols which are independent of VPC Service Controls. To\nconnect to a volume, a NFS or SMB client needs to be connected to the same\nnetwork as the volume. For more information, see the following sections:\n\n- [Volume access controls for NFS protocols](/netapp/volumes/docs/before-you-begin/security-considerations#volume_access_controls_for_nfs_protocols)\n\n- [Volume access controls for SMB protocols](/netapp/volumes/docs/before-you-begin/security-considerations#volume_access_controls_for_smb_protocol)\n\n- [File access control](/netapp/volumes/docs/before-you-begin/security-considerations#file_access_control)\n\nSecure your volumes using VPC Service Controls\n----------------------------------------------\n\n1. [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n2. Add the NetApp Volumes API to your service perimeter.\n For instructions on adding a service to your service perimeter, see\n [Update a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#update).\n\nVPC Service Controls limitations\n--------------------------------\n\nSome features of NetApp Volumes require access to Google\nresources within your perimeter. The following features are known to cause\nissues when you enable VPC Service Controls.\n\n- **Customer-managed encryption keys (CMEK)** : NetApp Volumes\n needs access to the KMS key you specified for CMEK. Google Cloud Customer Care\n can provide you with the required VPC-SC rules to resolve the issues. You can\n open a support case with [Google Cloud Customer Care](https://cloud.google.com/support-hub/).\n\n- **Integrated Backup** : Google Cloud Customer Care can provide you with the\n required VPC-SC rules to resolve the issues. You can open a support case with\n [Google Cloud Customer Care](https://cloud.google.com/support-hub/).\n\nFor more information about products and services that are supported by VPC Service Controls,\nsee [Supported products and limitations](/vpc-service-controls/docs/supported-products#table_netapp_volumes).\n\nWhat's next\n-----------\n\n[Configure access](/netapp/volumes/docs/get-started/configure-access/workflow)\nto Google Cloud NetApp Volumes."]]
