VPC Service Controls

VPC Service Controls allow you to define a security perimeter around Google Cloud resources to mitigate data exfiltration risks. They restrict access to GCP APIs and prevent data from being moved outside the perimeter even if credentials are compromised.

Key Features:

1. Service perimeters - Define boundaries around GCP projects to restrict API communication.

2. Context-aware access - Combine with Access Context Manager for attribute-based access (device, IP, user identity).

3. Ingress/Egress policies - Fine-grained control over traffic entering or leaving the perimeter.

4. Dry-run mode - Test policies without enforcing them to identify violations first.

5. Data exfiltration prevention - Block unauthorized copying of data to external projects or buckets.

The below example shows how to create a VPC Service Controls perimeter using gcloud.

It gives the following output,

Created perimeter [my-perimeter] in dry-run mode.
Dry-run violations: 2 detected
  BLOCKED: External service account accessing BigQuery
  BLOCKED: Storage copy to project outside perimeter
Perimeter enforced successfully.

When to use VPC Service Controls:

Use VPC Service Controls when handling sensitive data (PII, financial, healthcare) that must not leave defined project boundaries. It complements IAM by adding a network-context layer of defense - even if credentials are stolen, data cannot be exfiltrated outside the perimeter.