Create a service perimeter

Create a service perimeter that protects the Compute Engine API in theMy-Project-2 project:

1. In the Google Cloud console, go to theVPC Service Controls page.

   Go to VPC Service Controls

   Make sure that you are in the organization scope.

2. ClickManage policies.

3. Create a new accesspolicythat is scoped to theExercise folder.

4. Create a newperimeter with thefollowing details:

   • Title:MyFirstPerimeter

   • Perimeter type:Regular

   • Enforcement mode:Enforced

   • Resources to protect:My-Project-2 project

   • Restricted services:Compute Engine API

Verify the perimeter

In this section, you can make access requests to the resources in the projectsto confirm whether the perimeter protects the intended resources.

1. Access theMy-Project-1 project and verify that you can accessCompute Engine by visitingVM instances page.

   Go to VM instances

   You should be able to access becauseMy-Project-1 is not protected by theperimeter that you created earlier.

2. Access theMy-Project-2 project and verify that you can accessCompute Engine by visitingVM instances page.

   You should see that VPC Service Controls denies your request to accessCompute Engine because theMyFirstPerimeter perimeter protectsMy-Project-2 and the Compute Engine API.

Troubleshoot a violation

VPC Service Controls audit logsinclude details about requests to protected resources and the reason whyVPC Service Controls denied the request. You need this information to identify andtroubleshoot the violation in theMy-Project-2 project.

View audit logs

1. Find the unique ID of the VPC Service Controls violation in theMy-Project-2project's audit logs:

   1. In the Google Cloud console, go to thesegmentLogs Explorer page:

      Go toLogs Explorer

      If you use the search bar to find this page, then select the result whose subheading isLogging.

   2. Select theMy-Project-2 project.

   3. To display all audit logs, enter the following query into thequery-editor field:

      resource.type="audited_resource"protoPayload.metadata."@type"="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"

   4. ClickRun query.

   This query displays all VPC Service Controls audit logs. To find the violationdetails for accessing the Compute Engine API in theMy-Project-2project, check the last error log.

   Note: To filter the logs more granularly, you can use thesesamplequeries and add theVPC Service Controls unique ID that you received whileverifying theperimeter.

   For more information, seeView logs.

2. In theQuery results pane, clickVPC Service Controls next to thedenial that you want to troubleshoot, and then clickTroubleshoot denial.

   TheVPC Service Controls violation analyzerpage opens. This page shows the violation reason and other information suchas if the violation is an ingress or egress violation.

   In this tutorial, look for the following information:

   "principalEmail": "USER@DOMAIN""callerIp": "PUBLIC_IP_ADDRESS""serviceName": "compute.googleapis.com""servicePerimeterName":"accessPolicies/POLICY_NUMBER/servicePerimeters/MyFirstPerimeter"ingressViolations": [        {"targetResource": "projects/PROJECT_NUMBER","servicePerimeter": "accessPolicies/POLICY_NUMBER/servicePerimeters/MyFirstPerimeter"        }      ],"violationReason": "NO_MATCHING_ACCESS_LEVEL","resourceNames": "PROJECT_ID"

   The violation reason is"NO_MATCHING_ACCESS_LEVEL". The"NO_MATCHING_ACCESS_LEVEL"violation occurs when the IP address, device type, or user identity doesn'tmatch any ingress rules or access levels that are associated with the perimeter.If the caller IP address is missing or appears as an internal IP address inthe log, then this violation can be due to a Google Cloud service thatis notsupported by VPC Service Controls.

To fix this denial in theMy-Project-2 project, you have two options:

• Create anaccess level that allowsaccess to your system IP address to the project inside the perimeter.

• Create aningress rulethat allows access to an API client from outside the perimeter to resourceswithin the perimeter.

The following section illustrates how to troubleshoot this denial by creating anaccess level.

Create an access level

1. In the Google Cloud console, go to theAccess Context Manager page attheExercise folder scope.

   Go to Access Context Manager

2. Create an access levelwith the following details:

   • ForCreate conditions in, selectBasic mode.

   • ForWhen condition is met, return, selectTrue.

   • Select theIP Subnetworks attribute, specify your system's public IPaddress.

   • Select theGeographic locations attribute, specify your geographiclocation.

   This access level allows access only when the IP address and the geographiclocation is matched.

3. Go to theVPC Service Controls page at the organization scope.

   Go to VPC Service Controls

4. Select the access policy that you created earlier in this tutorial.

5. Add the access levelthat you created at theExercise folder scope to theMyFirstPerimeterperimeter.

Test the access

After you add the access level, verify that you can access Compute Enginein theMy-Project-2 project and create a VM instance.

1. In the Google Cloud console, go to theVM instances page.

   Go to VM instances

2. Create a VM instance.

   Note: Retain the default values in the fields and create a low-cost VMinstance.

After about a minute, Compute Engine creates a VM instance and thisaction verifies that you have full access to Compute Engine protectedinside the perimeter.