This page provides an overview of bucket IP filtering including its benefits,how it works, supported locations, and limitations to consider.

Overview

Cloud Storage offers bucket IP filtering to manage access to your data storedin buckets.

Bucket IP filtering is a network security mechanism that restricts access to abucket based on the source IP address of the request and secures your data fromunauthorized access.

The bucket IP filtering feature for Cloud Storage enables fine-grainedaccess control based on IPv4 or IPv6 address ranges or the Google CloudVirtual Private Cloud. You can configure a list of IP ranges at the bucket level and allincoming requests to the bucket are restricted to the configured IP ranges andVPCs. This feature provides a way to secure sensitive data inCloud Storage buckets and prevent unauthorized access from specific IPaddresses or VPCs.

Benefits

Bucket IP filtering for Cloud Storage offers the following benefits:

• Fine-grained access control: Restrict access to yourCloud Storage buckets based on the specific IP address (IPv4 orIPv6) or Google Cloud Virtual Private Cloud of the requester. Bucket IP filteringacts as a strong network-level security layer, preventing unauthorizedaccess from unknown or untrusted sources.

• Enhanced security: By limiting access to authorized IP addresses orVPCs, you can reduce the risk of unauthorized access, data breaches, andmalicious activity.

• Flexible configuration: You can configure and manage lists of IP rangesat the bucket level, tailoring the access control to your specificrequirements.

IP filtering configurations

Bucket IP filtering helps you control access to your buckets by defining rules that permit requests from specific IPv4 and IPv6 addresses. Incoming requests are evaluated against these rules to determine access permissions.

When you configure IP filtering, you define rules based on the following settings:

• Public internet access: You can define rules to manage requestsoriginating from the public internet (outside any configured Virtual PrivateCloud). These rules specify allowed IPv4 or IPv6 addresses using CIDRranges, authorizing inbound traffic from those sources.

• Virtual private cloud (VPC) access: For granular control over accessfrom specific VPC networks, you can define rules for each network.These rules include allowed IP ranges, enabling precise management of accessfrom your virtual network infrastructure.

• Service agent access: Google Cloud service agents retain access tobuckets, even with an active IP filtering configuration. You can set up aconfiguration that allows Google Cloud services such as BigLake,Storage Insights, Vertex AI, and BigQuery to bypass theIP filter validation when accessing your buckets.

• Cross-organization VPC access: To securely sharedata with trusted VPC networks located in differentGoogle Cloud organizations, you can define rules topermit their access to your bucket.

Limitations

Bucket IP filtering has the following limitations:

• Maximum number of IP CIDR blocks: You can specify a maximum of 200 IPCIDR blocks across public and VPC networks in the IPfilter rule for a bucket.

• Maximum number of VPC networks: You can specify a maximum of 25VPC networks in the IP filter rules for a bucket.

• Regional endpoints:Regional endpoints work with IP filtering onlywhen you usePrivate Service Connect.

• IPv6 support: IP filtering with gRPC direct path isnot supported on an IPv4 VM. When you use IP filtering withgRPC direct path, you must enableIPv6 support onthe VPC network.

• Blocked Google Cloud services: Enabling IP filtering onCloud Storage buckets restricts access for some Google Cloud services, regardless ofwhether they use aservice agent to interact with Cloud Storage. For example, services such asBigQuery use Cloud Storage for importing and exportingdata. To prevent service disruptions, we recommend not using IP filtering on Cloud Storage buckets accessed by the following services:

  • BigQuery interactions with Cloud Storage:
    • Load data from Cloud Storage to BigQuery.
    • Export table data from BigQuery to Cloud Storage.
    • Export query results from BigQuery to Cloud Storage.
    • Query from anexternal Cloud Storage table with BigQuery.
  • If yourApp Engine applications access data in Cloud Storage, we recommendusing App Engine through a Virtual Private Cloud.
  • IP filtering doesn't support Cloud Shell.

What's next

• Create IP filtering rules on a bucket.
• Update the IP filtering rules on a bucket.
• List the IP filtering rules on a bucket.
• Disable the IP filtering rules on a bucket.
• Bypass the IP filtering rules on a bucket.