Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google Managed Services (BigQuery,Cloud Storage etc) via a VPC/VPN

Tags:

google-cloud-platform

google-bigquery

google-cloud-iam

aaa-security-protocol

We are planning to use Big Query and Cloud Storage but have questions regarding access via VPN/VPC.

As Big Query, GCS are managed services is it correct to assume that it is not possible to restrict access to project level buckets and data sets to connections inbound to the VPC.

As we understand it, these services authenticate against Googles Global API Infrastructure and by definition are publicly exposed.

Is it possible to restrict access to Google Managed Services to a inbound VPC connection and remove public / internet based authentication and authorization for our projects?

like image 901
K2J Avatar asked Mar 06 '18 09:03

K2J

People also ask

Which VPN use Google Cloud server?

Google Cloud offers two types of Cloud VPN gateways: HA VPN and Classic VPN. However, certain Classic VPN functionality is deprecated. For more information, see Classic VPN partial deprecation. For information about moving to HA VPN, see Move to HA VPN.

How do I connect my Google Cloud to VPN?

Go to Networks->VPN and start creating a new VPN connection in project A. Give it a name, select the project-a-network you created in the prior step, and create an IP address for the VPN.

Is BigQuery a managed service?

BigQuery is a fully managed enterprise data warehouse that helps you manage and analyze your data with built-in features like machine learning, geospatial analysis, and business intelligence.

What is VPC service controls in GCP?

VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.

3 Answers

This is achieved by using VPC Service Controls, which right now (October 2018) is in private beta - and requires quite a bit of work:

https://cloud.google.com/vpc-service-controls/

like image 124
Svyatoslav Pidgorny Avatar answered Oct 07 '22 00:10

Svyatoslav Pidgorny

Regrettably, what you propose cannot be done.

If the authentication provided has access to the content, access will be granted; if it doesn't, it won't.

The network from which the content is being accessed is not taken into consideration. The Compute Engine firewall also doesn't apply because, much like the Google Cloud Load Balancer, Google Cloud Storage components don't live inside your project's VPC network.

like image 21
Alex Avatar answered Oct 07 '22 01:10

Alex

I think this can be achieved through something now called "Private Service Connect" under GCP

https://cloud.google.com/vpc/docs/private-service-connect

https://medium.com/google-cloud/private-service-connect-c99e3e94537b

like image 26
Logan Avatar answered Oct 07 '22 00:10

Logan
Sign in to Comment

Related questions

ScheduledJobs on Google Container Engine (kubernetes)
how do I delete multiple versions in an app on google cloud?
Google cloud deployment manager update Container cluster
At what stage does Dataflow/Apache Beam ack a pub/sub message?
Google Cloud Endpoint at "/" Method does not exist
BigQuery Partitioned tables insert data from the past
Setting up environment variables in node, specifically, GOOGLE_APPLICATION_CREDENTIALS
Gcloud Kubernetes connection refused to exposed service
Google Storage : how to check if a bucket exists
how to create custom operators in airflow and use them in airflow template which is running through cloud composer(in google cloud platform)
Running multiple Colab notebooks in parallel over Google Cloud?
Kubernetes - Pass Public IP of Load Balance as Environment Variable into Pod
GKE - how to attach static ip to internal load balancer
How can I give a service account access to a particular secret?
Google Cloud Storage authentication for App Engine
Does Google Cloud Spanner support stored procedures?
GCP Dataflow: System Lag for streaming from Pub/Sub IO
Automatically shutdown Google Dataproc cluster after all jobs are completed
Export nested BigQuery data to cloud storage
What scopes / roles are required for a service account to be able to submit container builder jobs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!