VPC Service Controls for BigQuery

This page explains how to enhance security around BigQuery resources bycreating perimeters with VPC Service Controls. These perimeters restrict access toand from BigQuery and are independent fromIdentity and Access Management (IAM) controls. They're useful in the following use cases:

• Preventing data leakage by restricting access to resources, except thosespecifically allowed in the ingress and egress rules.
• Securely loading data into BigQuery from third-party sourcesor Google Cloud services, such as Cloud Storage.
• Controlling data export from BigQuery to Cloud Storage orother targets.

For more information, see theoverview of VPC Service Controls.

Before you begin

• To get the permissions that you need to configure service perimeters, seeAccess control withIAM for VPC Service Controls.
• You must have an access policy for your organization. For more information,seeCreate an accesspolicy.

Create the VPC Service Controls perimeter

The following example shows how to create a VPC Service Controls perimeterthat limits the range of external IP addresses that can access aBigQuery project.

1. Create anaccess level that only allows access to a specified range of IPaddresses—for example, those within a corporate network. To create it, usethegcloud access-context-manager levels create command:

   echo """- ipSubnetworks:- 162.222.181.0/24- 2001:db8::/48""" > level.yamlgcloud access-context-manager levels createACCESS_LEVEL_NAME \    --title="TITLE" --basic-level-spec=level.yaml

   Replace the following:

   • ACCESS_LEVEL_NAME: the ID of the access level
   • TITLE: the human-readable title for theservice perimeter

   For more information about creating access levels, see theexampleimplementations.

2. Protect the BigQuery resource by creating or updating aperimeter. The following examples protect a project. For other usecases, such as protecting data transfer from a Cloud Storagebucket in another project, see theuse cases.

   Create perimeter

   To create a new perimeter to protect the BigQuery project,use thegcloud access-context-manager perimeters create command:

   echo """- ingressFrom:    identityType: ANY_IDENTITY    sources:- accessLevel: accessPolicies/POLICY_NAME/accessLevels/ACCESS_LEVEL_NAME  ingressTo:    operations:- methodSelectors:- method: '*'      serviceName: bigquery.googleapis.com    resources:- '*'""" > ingress.yamlgcloud access-context-manager perimeters createBIGQUERY_PERIMETER --title="TITLE" \    --resources=BIGQUERY_PROJECT_NUMBER \    --restricted-services=bigquery.googleapis.com \    --ingress-policies=ingress.yaml    --policy=POLICY_NAME

   Replace the following:

   • POLICY_NAME: the ID of the access policy
   • ACCESS_LEVEL_NAME: the ID of the access level
   • PERIMETER: the ID of the perimeter
   • TITLE: the short, human-readable title for theservice perimeter
   • BIGQUERY_PROJECT_NUMBER: the ID ofBigQuery project
   • POLICY_NAME: the ID of the access policy

   Update perimeter

   To update an existing perimeter, use thegcloud access-context-manager perimeters update command:

   gcloud access-context-manager perimeters updateBIGQUERY_PERIMETER --set-ingress-policies=ingress.yaml

   ReplaceBIGQUERY_PERIMETER with the ID of the perimeterprotecting the BigQuery resource.

Test the perimeter

Test your VPC Service Controls perimeter before enforcing it. For moreinformation, seeDry run mode for serviceperimeters andUsing dry-runmode to test ingress or egresspolicies.

Use cases

The following use case examples show how to protect data going in and out ofBigQuery with VPC Service Controls.

Query external table data from a Cloud Storage bucket in another project

The following examples show how to selectively allow communication between theBigQuery and Cloud Storage projects when they areseparated by perimeters.

1. Allow the BigQuery project to access theCloud Storage project by updating the egress rules for the perimeteraround the Cloud Storage project:

   echo """- egressFrom:    identityType: ANY_IDENTITY  egressTo:    operations:- methodSelectors:- method: '*'      serviceName: storage.googleapis.com    resources:- projects/BIGQUERY_PROJECT_NUMBER""" > egress.yamlgcloud access-context-manager perimeters updateCLOUD_STORAGE_PERIMETER --policy=POLICY_NAME --set-egress-policies=egress.yaml

   Replace the following:

   • BIGQUERY_PROJECT_NUMBER: the ID ofBigQuery project
   • CLOUD_STORAGE_PERIMETER: the ID of the perimeterprotecting the Cloud Storage resources
   • POLICY_NAME: the ID of the access policy

2. Allow the Cloud Storage project to access theBigQuery project by updating the egress rules for theperimeter around the BigQuery project:

   echo """- egressFrom:    identityType: ANY_IDENTITY  egressTo:    operations:- methodSelectors:- method: '*'      serviceName: storage.googleapis.com    resources:- projects/CLOUD_STORAGE_PROJECT_NUMBER""" > egress1.yamlgcloud access-context-manager perimeters updateBIGQUERY_PERIMETER --policy=POLICY_NAME --set-egress-policies=egress1.yaml

   Replace the following:

   • CLOUD_STORAGE_PROJECT_NUMBER: the ID of Cloud Storage project
   • PERIMETER: the ID of the perimeter
   • POLICY_NAME: the ID of the access policy

3. Optional: if the perimeter protecting the BigQuery projectincludesstorage.googleapis.com as a restricted service, you must updatethe ingress rule:

   echo """- ingressFrom:    identityType: ANY_IDENTITY    sources:- accessLevel: accessPolicies/POLICY_NAME/accessLevels/ACCESS_LEVEL_NAME  ingressTo:    operations:- methodSelectors:- method: '*'      serviceName: bigquery.googleapis.com- methodSelectors:- method: '*'      serviceName: storage.googleapis.com    resources:- '*'""" > ingress.yamlgcloud access-context-manager perimeters createBIGQUERY_PERIMETER --title="TITLE" \    --resources=BIGQUERY_PROJECT_NUMBER \    --restricted-services=bigquery.googleapis.com \    --ingress-policies=ingress.yaml    --policy=POLICY_NAME

Import and export data from BigQuery Omni

As an extra layer of defense, you can use VPC Service Controls perimeters torestrict access between BigQuery Omni and an external cloudservice. For more information and examples, see theVPC Service Controls configuration for when you create an Azure Blob Storage BigLake table.

What's next

• Learn more aboutVPC Service Controls in AnalyticsHub.
• Learn how torestrict BigQuery Omni access with anexternal cloudservice.
• Understandrisks and mitigation throughVPC Service Controls.
• Learn more aboutVPC Service Controls support andlimitations in BigQuery.
• Troubleshoot common issues for BigQuery and VPC Service Controls.