This pagedescribes service perimeters and includes thehigh-level steps forconfiguring perimeters.

About service perimeters

This section provides details about the way service perimeters function, andthe differences between enforced and dry run perimeters.

To protect Google Cloud services in your projects and mitigate the risk of dataexfiltration, you can specify service perimeters at the project or VPC networklevel. For more information about the benefits of service perimeters, seeOverview of VPC Service Controls.

Also, the services that are accessibleinside a perimeter, such asfrom VMs in a VPC network that is hosted inside a perimeter, can be restrictedusing theVPC accessible services feature.

You can configureVPC Service Controls perimeters in enforced ordry run mode. The same configuration steps apply to both enforced and dryrun perimeters. The difference is that dry run perimeters log violations asthough the perimeters are enforced but don't prevent access to restrictedservices.

Enforced mode

Enforced mode is the default mode for service perimeters. When a serviceperimeter is enforced, requests that violate the perimeter policy, such asrequests to restricted services from outside a perimeter, are denied.

A perimeter in enforced mode protects Google Cloud resources by enforcingthe perimeter boundary for the services restricted in the perimeter configuration.API requests to restricted services do not cross the perimeter boundary unlessthe conditions of the necessaryingress and egress rulesof the perimeter are satisfied. An enforced perimeter protects against dataexfiltration risks, such as stolen credentials, misconfigured permissions, ormalicious insiders that have access to the projects.

Dry run mode

In dry run mode, requests that violate the perimeter policy are not denied butonly logged.Dry run service perimeters are used to test perimeterconfiguration and to monitor usage of services without preventing access toresources. The following are some of the common use cases:

• Determining the impact when you change existing service perimeters.

• Previewing the impact when you add new service perimeters.

• Monitoring requests to restricted services that originate from outside aservice perimeter. For example, to identify from where requests to a givenservice are coming from or to identify unexpected service usage in yourorganization.

• Creating a perimeter architecture in your development environment that isanalogous to your production environment. You can identify and mitigate anyissues caused by your service perimeters before submitting changes to yourproduction environment.

For more information, seeDry run mode.

Service perimeter configuration stages

To configure VPC Service Controls, you can use the Google Cloud console,thegcloud command-line tool, and theAccess Context Manager APIs.

You can configure VPC Service Controls as described in the following high-level steps:

1. Create an access policy.

2. Secure Google-managed resources with service perimeters.

3. Set up VPC accessible services to add additional restrictions to howservices can be used inside your perimeters (optional).

4. Set up private connectivity from a VPC network (optional).

5. Allow context-aware access from outside a service perimeter using ingressrules (optional).

6. Configure secure data exchange using ingress and egress rules (optional).

Create an access policy

An access policy collects the service perimeters and access levels you createfor your organization. An organization can have one access policy for the entireorganization and multiple scoped access policies for the folders and projects.

You can use the Google Cloud console,thegcloud command-line tool, or theAccess Context Manager APIs tocreate an access policy.

To learn more about Access Context Manager and access policies, read theoverview of Access Context Manager.

Secure Google-managed resources with service perimeters

Service perimeters are used to protect services used by projects in yourorganization. After identifying the projects and services you want to protect,create one or more service perimeters.

Note: If you're usingShared VPC, you mustinclude the hostproject in a service perimeter along with anyprojects that belong to the Shared VPC.

To learn more about how service perimeters work and what servicesVPC Service Controls can be used to secure, read theOverview of VPC Service Controls.

Some services have limitations with how they can be used withVPC Service Controls. If you encounterissues with your projects after setting up your service perimeters, readTroubleshooting.

Set up VPC accessible services

When you enable VPC accessible services for a perimeter, access from networkendpoints inside your perimeter is limited to a set of services that youspecify.

To learn more about how to limit access inside your perimeter to only a specificset of services, read aboutVPC accessible services.

Set up private connectivity from a VPC network

To provide additional security for VPC networks and on-premises hosts that areprotected by a service perimeter, we recommend using Private Google Access.For more information, seeprivate connectivity from on-premises networks.

To learn about configuring private connectivity, readSetting up private connectivity to Google APIs and services.

Restricting access to Google Cloud resources to only private access fromVPC networks means that access using interfaces such as the Google Cloud consoleand the Cloud Monitoring console are denied. You can continue to usethegcloud command-line tool or API clients from VPC networks that share a service perimeteror perimeter bridge with the restricted resources.

Allow context-aware access from outside a service perimeter using ingress rules

You can allow context-aware access to resources restricted by a perimeter basedon client attributes. You can specify client attributes, such as identity type(service account or user), identity, device data, and network origin (IP address or VPC network).

For example, you can set up ingress rules to allow internet access to resourceswithin a perimeter based on the range of IPv4 and IPv6 addresses. For moreinformation about using ingress rules to set up context-aware access, seeContext-aware access.

Configure secure data exchange using ingress and egress rules

You can include your project only in one service perimeter. If you want to allowcommunication across the perimeter boundary, set up ingress and egress rules.For example, you can specify ingress and egress rules to let projects frommultiple perimeters to share logs in a separate perimeter. To learn more aboutsecure data exchange use cases, readsecure data exchange.