Secure your data with a service perimeter

VPC Service Controls helps you reduce the risk of unauthorized copying or transfer of data from your Google-managed services.

With VPC Service Controls, you can configure service perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.

Create a service perimeter

To create a service perimeter, follow the VPC Service Controls guide to creating a service perimeter.

When you design the service perimeter, include the following services:

  • Migration Center API (migrationcenter.googleapis.com)
  • RMA API (rapidmigrationassessment.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Resource Manager API (cloudresourcemanager.googleapis.com)
  • Cloud Logging API (logging.googleapis.com)

Allow traffic with inbound data transfer rules

By default, the service perimeter is designed to prevent inbound data transfer from services outside of the perimeter. If you plan to use data import to upload data from outside the perimeter, or use the discovery client to collect your infrastructure data, configure data access rules to allow this.

Enable data import

To enable data import, specify the inbound data transfer rules using the following syntax:

- ingressFrom:
    identities:
    - serviceAccount: SERVICE_ACCOUNT
    sources:
    - accessLevel: \"*\"
- ingressTo:
    operations:
    - serviceName: storage.googleapis.com
      methodSelectors:
      - method: google.storage.buckets.testIamPermissions
      - method: google.storage.objects.create
    resources:
    - projects/PROJECT_ID

Replace the following:

  • SERVICE_ACCOUNT: the per-product, per-project service account that you use to upload data to Migration Center, with the following format: service-PROJECT_NUMBER@gcp-sa-migcenter.iam.gserviceaccount.com.

    Here PROJECT_NUMBER is the unique identifier of the Google Cloud project where you enabled the Migration Center API. For more information on project numbers, see Identifying projects.

  • PROJECT_ID: the ID of the project inside the perimeter that you want to upload the data to.

You can't use ANY_SERVICE_ACCOUNT and ANY_USER_ACCOUNT identity types with signed URLs. For more information, see Allow access to protected resources from outside the perimeter.

Enable data collection with discovery client

To enable data collection with the discovery client, specify the inbound data transfer rules with the following syntax:

- ingressFrom:
    identities:
    - serviceAccount: SERVICE_ACCOUNT
    sources:
    - accessLevel: \"*\"
- ingressTo:
    operations:
    - serviceName: storage.googleapis.com
      methodSelectors:
      - method: \"*\"
    resources:
    - projects/PROJECT_ID

Replace the following:

  • SERVICE_ACCOUNT: the service account that you used to create the discovery client. For more information, review the discovery client installation process.

  • PROJECT_ID: the ID of the project inside the perimeter that you want to upload the data to.

Limitations

The following limitations apply when you enable the service perimeter.

StratoZone

StratoZone is not compliant with VPC Service Controls. If you try to enable the StratoZone integration with Migration Center after creating the service perimeter, you receive an error.

However, if you enabled the StratoZone integration before creating the service perimeter, you can still access StratoZone and the data already collected, but Migration Center doesn't send any new data to StratoZone.