Jump to
VPC Service Controls

VPC Service Controls

Prevent data exfiltration by creating isolation perimeters around your cloud resources, sensitive data, and networks.

  • Mitigate exfiltration risks by isolating multi-tenant services

  • Ensure sensitive data can only be accessed from authorized networks

  • Restrict resource access to allowed IP addresses, identities, and trusted client devices

  • Control which Google Cloud services are accessible from a VPC network

Benefits

Mitigate data exfiltration risks

Enforce a security perimeter with VPC Service Controls to isolate resources of multi-tenant Google Cloud services—reducing the risk of data exfiltration or data breach.

Keep data private inside the VPC

Configure private communication between cloud resources from VPC networks spanning cloud and on-premises hybrid deployments. Take advantage of fully managed tools like Cloud Storage, Bigtable, and BigQuery.

Deliver independent data access controls

VPC Service Controls delivers an extra layer of control with a defense-in-depth approach for multi-tenant services that helps protect service access from both insider and outsider threats.

Key features

Key features

Centrally manage multi-tenant service access at scale

With VPC Service Controls, enterprise security teams can define fine-grained perimeter controls and enforce that security posture across numerous Google Cloud services and projects. Users have the flexibility to create, update, and delete resources within service perimeters so they can easily scale their security controls.

Securely access multi-tenant services

VPC Service Controls enables a context-aware access approach of control for your cloud resources. Enterprises can create granular access control policies in Google Cloud based on attributes like user identity and IP address. These policies help ensure the appropriate security controls are in place when granting access to cloud resources from the internet.

Establish virtual security perimeters for API-based services

Users can define a security perimeter around Google Cloud resources, such as Cloud Storage buckets, Bigtable instances, and BigQuery datasets to constrain data within a VPC and control the flow of data. With VPC Service Controls, enterprises can keep their sensitive data private as they take advantage of the fully managed storage and data processing capabilities of Google Cloud.

View all features

Documentation

Documentation

Best Practice

Supported products and limitations

Explore a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.

Best Practice

Service perimeter details and configuration

Learn all about service perimeters, including how they function, how to configure them, and the difference between enforced and dry run perimeters.

Best Practice

Creating a service perimeter

Find out how to create a service perimeter, including how to include projects and protect services.

Best Practice

Setting up private connectivity to Google APIs and services

See how to use VPC Service Controls to control access to Google APIs and services from hosts that use private IP addresses.

Best Practice

Setting up Container Registry for GKE private clusters

Learn how to configure DNS entries for using Container Registry with a Google Kubernetes Engine private cluster and VPC Service Controls.

Best Practice

Cloud IAM Roles for administering VPC Service Controls

Uncover the Cloud Identity and Access Management (Cloud IAM) roles required to configure VPC Service Controls.

Google Cloud Basics

Concepts

Find an overview of VPC Service Controls along with a detailed guide covering everything from service perimeter configuration to audit logging.

Architecture

Transferring data from Amazon S3 to Cloud Storage

Learn how to harden data transfers from Amazon Simple Storage Service to Cloud Storage using Storage Transfer Service with a VPC Service Controls perimeter.

Architecture

Threat and data-theft prevention policies with VM-Series

Use a next generation firewall to reduce your threat footprint by centralizing management and extending security policies and controls to users, apps, and devices.

Not seeing what you’re looking for?

Use cases

Use cases

Use case
Mitigate threats such as data exfiltration

VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.

Use case
Isolate parts of the environment by trust level

VPC Service Controls delivers a method to segment the multi-tenant services environment and isolate services and data. It enables environment micro-segmentation based on service and identity. Service Controls enables clients to extend their networks to include multi-tenant Google Cloud services and control egress and ingress of data.

Use case
Secure access to multi-tenant services

VPC Service Controls delivers zero-trust style access to multi-tenant services. Clients can restrict access to authorized IPs, client context, and device parameters while connecting to multi-tenant services from the internet and other services. Examples include GKE and BigQuery. It enables clients to keep their entire data processing pipeline private.

All features

All features

Coverage of services

VPC SC offers broad coverage of internet to service, service to service, VPC to service access controls.

Rich security logging

Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources. Flow logs capture information about the IP traffic going to and from network interfaces on Compute Engine. The logs provide near real-time visibility.

Support for hybrid environments

Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access.

Secure communication

Securely share data across service perimeters with full control over what resource can connect to others or to the outside.

Context-aware access

Control access to Google Cloud services from the internet based on context-aware access attributes like IP address and a user’s identity.

Perimeter security for managed Google Cloud services

Configure service perimeters to control communications between virtual machines and managed Google Cloud resources. Service perimeters allow free communication within the zone and block all service communication outside the perimeter.

Pricing

Pricing

There is no separate charge for using VPC Service Controls.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Google Cloud
  • ‪English‬
  • ‪Deutsch‬
  • ‪Español‬
  • ‪Español (Latinoamérica)‬
  • ‪Français‬
  • ‪Indonesia‬
  • ‪Italiano‬
  • ‪Português (Brasil)‬
  • ‪简体中文‬
  • ‪繁體中文‬
  • ‪日本語‬
  • ‪한국어‬
Console
Google Cloud