8

We are planning to use Big Query and Cloud Storage but have questions regarding access via VPN/VPC.

As Big Query, GCS are managed services is it correct to assume that it is not possible to restrict access to project level buckets and data sets to connections inbound to the VPC.

As we understand it, these services authenticate against Googles Global API Infrastructure and by definition are publicly exposed.

Is it possible to restrict access to Google Managed Services to a inbound VPC connection and remove public / internet based authentication and authorization for our projects?

Alex
  • 661
  • 1
  • 5
  • 18
K2J
  • 2,573
  • 6
  • 27
  • 34

3 Answers3

3

This is achieved by using VPC Service Controls, which right now (October 2018) is in private beta - and requires quite a bit of work:

https://cloud.google.com/vpc-service-controls/

Svyatoslav Pidgorny
  • 573
  • 3
  • 11
  • 2
    This is correct solution on GCP as of Aug 2019. However, keep in mind that this service is like firewall. Google Cloud services are still exposed to public network, you can limit access by defining firewall rules. – chhantyal Aug 27 '19 at 14:55
  • GA since March 08, 2019: https://cloud.google.com/vpc-service-controls/docs/release-notes#March_08_2019 – vpgcloud Mar 06 '23 at 10:47
3

I think this can be achieved through something now called "Private Service Connect" under GCP

https://cloud.google.com/vpc/docs/private-service-connect

https://medium.com/google-cloud/private-service-connect-c99e3e94537b

Logan
  • 1,331
  • 3
  • 18
  • 41
  • 1
    This does now look like the correct answer. Sadly I'm now longer working with GCP since moving organisations. I've changed the accepted answer to this one so it stays relevant for those that might stumble on this question. – K2J Jun 08 '22 at 09:16
2

EDIT: While this was correct at the time, it is no longer, and this is now the correct solution.

My original reply is below this line.

Regrettably, what you propose cannot be done.

If the authentication provided has access to the content, access will be granted; if it doesn't, it won't.

The network from which the content is being accessed is not taken into consideration. The Compute Engine firewall also doesn't apply because, much like the Google Cloud Load Balancer, Google Cloud Storage components don't live inside your project's VPC network.

Alex
  • 661
  • 1
  • 5
  • 18