Menu
We are planning to use Big Query and Cloud Storage but have questions regarding access via VPN/VPC.
As Big Query, GCS are managed services is it correct to assume that it is not possible to restrict access to project level buckets and data sets to connections inbound to the VPC.
As we understand it, these services authenticate against Googles Global API Infrastructure and by definition are publicly exposed.
Is it possible to restrict access to Google Managed Services to a inbound VPC connection and remove public / internet based authentication and authorization for our projects?
901
Google Cloud offers two types of Cloud VPN gateways: HA VPN and Classic VPN. However, certain Classic VPN functionality is deprecated. For more information, see Classic VPN partial deprecation. For information about moving to HA VPN, see Move to HA VPN.
Go to Networks->VPN and start creating a new VPN connection in project A. Give it a name, select the project-a-network you created in the prior step, and create an IP address for the VPN.
BigQuery is a fully managed enterprise data warehouse that helps you manage and analyze your data with built-in features like machine learning, geospatial analysis, and business intelligence.
VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
This is achieved by using VPC Service Controls, which right now (October 2018) is in private beta - and requires quite a bit of work:
https://cloud.google.com/vpc-service-controls/
124
Regrettably, what you propose cannot be done.
If the authentication provided has access to the content, access will be granted; if it doesn't, it won't.
The network from which the content is being accessed is not taken into consideration. The Compute Engine firewall also doesn't apply because, much like the Google Cloud Load Balancer, Google Cloud Storage components don't live inside your project's VPC network.
21
I think this can be achieved through something now called "Private Service Connect" under GCP
https://cloud.google.com/vpc/docs/private-service-connect
https://medium.com/google-cloud/private-service-connect-c99e3e94537b
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
