Allow one VPC and deny others in a VPC Service Perimeter GCP

1
votes

I have created a VPC Service Perimeter for a project in GCP and added Google Cloud Storage to it.

Is there a way in GCP to allow access to Google Cloud Storage API (via gsutil or any other means) only to the VMs or resources in a particular VPC?

If I have three VPCs (vpc-a, vpc-b and vpc-c), I want only the instances in vpc-a to access the Cloud Storage buckets and VPC Service Perimeter to deny access to resources from vpc-b and vpc-c.

All my instances will be private (no public IP address) and consider the VPCs and VMs to be in one project (added in VPC Service Perimeter). How to achieve the above setup?

1
google-cloud-platformgoogle-cloud-storagevpcgoogle-cloud-iam

1 Answers

1
votes

This is not supported by Access Context Manager, GCP Service Controls or Google Cloud Storage.

VPC Service Controls are project based and are not VPC based. VPC Service Controls islands a project's resources. You would need the ability to remove certain resources (VPC) from accessing this island.

Access Context Manager does not define a condition for VPC subnets or private IP CIDR blocks.

VPC Service Controls does not block resources inside the project.

There is no supported method to block one VPC and allow another where both VPCs are inside the same project.