VPC Service Controlsis a Google Cloud feature that lets you set up a secure perimeter to guard against data exfiltration. This guide shows how to include Cloud Scheduler jobs in a VPC Service Controls perimeter.
Limitations
The following limitations apply to VPC Service Controls support for Cloud Scheduler.
Enforced actions
VPC Service Controls is only enforced on the following actions:
- Cloud Scheduler job creation
- Cloud Scheduler job updates
Why does this matter?
Because VPC Service Controls is only enforced on job creation and job updates, VPC Service Controls is not automatically enforced for jobs that were created before you added Cloud Scheduler to your VPC Service Controls perimeter. Jobs continue to execute even if the job targets aren't part of your VPC Service Controls perimeter or are not supported targets. To enforce VPC Service Controls for all Cloud Scheduler jobs:
- Jobs with targets that are either unsupported or are outside your perimeter: Delete the jobs. In this document, see Delete non-compliant jobs.
- Jobs with targets that are both supported and inside your perimeter: Run an update on each job after adding Cloud Scheduler to your perimeter. In this document, see Enforce VPC Service Controls on pre-existing jobs.
Supported targets
The Cloud Scheduler integration with VPC Service Controls supports the following targets. HTTP endpoints are supported if listed; however, arbitrary HTTP endpoints are not supported.
- Cloud Run functions—on the
functions.net
URL - Cloud Run—on the
run.app
URL for Cloud Run services. Cloud Run job targets are not supported. To learn about the difference between Cloud Run service and job resources, see Services and jobs: two ways to run your code. - Dataflow API—must be in the same Google Cloud project as your Cloud Scheduler job
- Data Pipelines—must be in the same Google Cloud project as your Cloud Scheduler job
- Pub/Sub—must be in the same Google Cloud project as your Cloud Scheduler job
Delete non-compliant jobs
Recommended. Delete Cloud Scheduler jobs with targets that are either:
- Unsupported (see Supported targets)
- Outside of the VPC Service Controls perimeter you plan to use
For instructions on deleting jobs, see Delete a job.
If you don't delete these jobs before adding Cloud Scheduler to your VPC Service Controls perimeter, the jobs continue to run, but VPC Service Controls is not enforced on them. In this document, see Enforced actions.
For example, if you have a Cloud Scheduler job that targets an unsupported target (such as a Cloud Run custom domain), the job continues to run after you add Cloud Scheduler to your VPC Service Controls perimeter, but it is not protected by VPC Service Controls. The same is true for a pre-existing job with a target outside of your VPC Service Controls perimeter.
Add required IAM roles
Required. In order to use VPC Service Controls, the Cloud Scheduler service account must have the Cloud Scheduler Service Agent IAM role. The Cloud Scheduler service account is created for your project automatically. To verify that it has the Cloud Scheduler Service Agent IAM role, or to grant this role, take the following steps:
In the Google Cloud console, go to IAM.
Select the Include Google-provided role grants checkbox.
In the filter, type Cloud Scheduler Service Account, and select this principal.
Look at the Role column for the Cloud Scheduler Service Account principal. You can proceed if the following role is listed:
- Cloud Scheduler Service Agent
If the Cloud Scheduler Service Account role is not listed, click the Edit icon and grant the Cloud Scheduler Service Agent role to the Cloud Scheduler Service Account principal.
Specify a VPC Service Controls perimeter
Required. You can use an existing perimeter or create a new perimeter to protect your Cloud Scheduler jobs that have supported targets. Both approaches give you the chance to specify services to restrict. Specify the Cloud Scheduler API.
Existing perimeters: To update an existing VPC Service Controls perimeter to include Cloud Scheduler, follow the steps for updating a service perimeter.
New perimeters: To create a new perimeter for Cloud Scheduler, follow the steps to create a service perimeter.
Enforce VPC Service Controls on pre-existing jobs
Recommended. To enforce VPC Service Controls on Cloud Scheduler jobs
that you created before you added Cloud Scheduler to your
VPC Service Controls perimeter, run an update
on the job. You don't have to
change the job, but you must run the update in order for VPC Service Controls to
apply to the job and its future executions.
You can run an update for the job from the Google Cloud console (select the job and use the Edit button), using the API, or with the gcloud CLI.
To enforce VPC Service Controls on a pre-existing job by using the gcloud CLI, run the following:
HTTP targets
gcloud scheduler jobs update http JOB_ID
Replace the following:
JOB_ID
: the ID of your job
Pub/Sub targets
gcloud scheduler jobs update pubsub JOB_ID
Replace the following:
JOB_ID
: the ID of your job