GCP – Announcing VPC Service Controls with private IPs to extend data exfiltration protection
Google Cloud’s VPC Service Controls can help organizations mitigate the risk of data exfiltration from their Google Cloud managed services. VPC Service Controls (VPC-SC) creates isolation perimeters around cloud resources and networks in Google Cloud, helping you limit access to your sensitive data.
Today, we are excited to introduce support for private IP addresses within VPC Service Controls. This new capability permits traffic from specific internal networks to access protected resources.
Extending VPC-SC to secure resources in private IP address space
VPC-SC helps prevent data exfiltration to unauthorized Cloud organizations, folders, projects, and resources with defined perimeters accessible only by authorized users and resources. Customers deploying VPC-SC can use its comprehensive access rule capabilities to enforce least privilege access to managed services in Google Cloud. With this new capability, our customers can allow access to resources in a service perimeter from identified on-premise environments.
Importantly, customers can use basic access levels to specify private IP address ranges for a VPC network. These access levels can be attached to ingress and egress access rules to enforce granular access controls for Google services, and allow customers to expand perimeters into private address space.
Google Cloud’s best practice recommendation is to use a macro or “mega” perimeter, as it’s easy to manage and scale. For customers who have a specific use case that requires more granular segmentation, private IP now offers you more flexibility.
Here are a couple of use cases where VPC-SC private IP support helps you to build a more secure architecture.
Use case: Expanding your on-premise environment to a secure cloud perimeter
VPC-SC treats the on-premise environment of a customer as a single network for access purposes. As a result, network-based access rules are enforced for the on-premise environment as a whole. Consequently, some customers are concerned about over-provisioning access when only specific on-premise clients require access into the VPC-SC perimeter. When working with on-premise environments, private address-based ingress and egress rules can be used to provide more selective access from on-prem workloads to perimeter resources. You can check out this video to learn more.
Sample architecture overview of expanding on-premises to VPC-SC perimeter
Use case: Segmenting your cloud projects in Shared VPC
As part of a request evaluation, VPC-SC checks if the source network belongs to a project that is in the trusted perimeter. In Shared VPC environments, the host project owns the network which is then shared with the service project. Consequently, customers did not have the ability to separate the host and service projects into different perimeters. With support for private address-based ingress and egress rules, the host and service projects can be located in different perimeters with access being facilitated by the rules. This also limits the exposure of resources to unauthorized services. You can check out this video to learn more.
Sample architecture overview of segmenting in Shared VPC
Case study: Enhancing security with VPC Service Controls at MSCI
Renowned for providing critical decision support tools and services to the global investment community, MSCI uses cloud technology for more than just infrastructure: it’s their essential framework to drive innovation.
Since 2022, MSCI has partnered with Google Cloud in their quest for agile, scalable, and secure computing. Their Google Cloud environment, a meticulously orchestrated mix of services including Compute Engine, BigQuery, and Kubernetes Engine, is built on their commitment to state-of-the-art technology.
To secure sensitive data while benefiting from the cloud’s scalability, MSCI turned to VPC-SC. This decision was driven due to sensitivity of the data and the requirement to have a defense-in-depth implementation that could secure data at multiple levels. With stringent ingress and egress controls, VPC-SC provided MSCI an additional layer of defense on top of Google’s cloud-first controls such as IAM and firewall. However, MSCI also had specific requirements for granular access at the subnetwork level using private IPs.
“The newly implemented VPC private address support feature empowered MSCI to define precise conditions, permitting access to protected resources for specific private IP ranges within the VPC network. This breakthrough has resulted in better detailing in MSCI’s security configurations. The bespoke solution has emerged as a key addition in the organization’s security repository, particularly for its support of private IP management, showcasing the enormous potential of cloud technologies when aligned with planning and collaborative solution-building,” said Sandesh D’Souza, executive director, Cloud Engineering, MSCI.
Next steps
VPC Service Controls is a foundational security control for most Google Cloud customers. By supporting private IPs, we can give customers more granular controls to better meet their exact needs. You can use our recently rolled out VPC-SC Dry Run mode to check your configs before deploying in production. For customers new to VPC Service Controls, we encourage you to review product documentation and an overview video.
Read More for the details.

 
                                                                     
                                                                     
                                                                    