🔒 Mastering VPC Service Controls in Google Cloud: Step-by-Step Guide with Real Demo
Mostafa Elkattan
When it comes to securing your workloads in Google Cloud Platform (GCP), two pillars stand out: IAM (Identity and Access Management) and VPC Service Controls. While IAM governs who has access to what, VPC Service Controls define where access is allowed from, creating a context-aware security boundary.
🔐 What is GCP VPC Service Controls?
VPC Service Controls is a Google Cloud security feature that helps protect your sensitive data by creating security perimeters around GCP services like Cloud Storage, BigQuery, and others.
These perimeters prevent unauthorized or untrusted access to Google-managed services, even if the request is technically valid from a service perspective.
🧠 Why Use VPC Service Controls?
VPC Service Controls are designed to prevent data exfiltration — the risk of data being accessed or moved from trusted GCP services to unauthorized locations or networks.
They ensure that only traffic from trusted networks, devices, locations, or services can access protected resources.
🛡️ Key Capabilities
| Feature | Description |
| Service Perimeters | Define boundaries around GCP services and projects |
| Access Context Manager | Allow access based on attributes like IP address, device type, or location |
| Ingress Policy | Allow trusted services or networks to access protected services |
| Egress Policy | Control outbound traffic from protected services |
| Dry Run Mode | Test configurations without enforcing them |
Scope of Demo:
VPC Service Perimeters function like a firewall for GCP APIs.In our demo, we are going to cover some essential components when creating a new Service perimeter. The perimeter includes the following list but we will cover everything except Egress Policy.
Protect Projects — list of projects you want to protect. In my case ProjectA and ProjectB)
Restricted Service — list of services protected by the perimeter. In my case storage APIs.
VPC Accessible Service — Leave it to default: All Service.
Access Levels — Allow/Deny Access to protected resources based on certain Attributes like IP, Location, Device Type, etc.
Ingress Policy — Allow Access to Certain resources from another project to access the protected resource.
Egress Policy — Same As Above but Egress.
To follow this tutorial, you will need:
GCP Organization. You must have Organization enabled in your domain. Click here to see how to create an organization with additional information.
A GCP Account, Two or more Projects (In my case, I have three projects: ProjectA, ProjectB, and ProjectC ).
Let’s Get Started:
Log into the Console and select your Organization.
After that, you need to go to your security or search for VPC service control. You need to open this. Please ensure that you are at the organizational level. Since the policy is being created at the org level. This will not work on the project.
Once you open VPC Service Control, The First Screen you will see with two modes:
ENFORCED — The enforced mode will immediately apply the policies. We will cover this mode only.
DRY RUN — Dry mode is a preview mode to let you know the effects of the policy being applied to your projects. You can see in the audit logs to see if the specific perimeter is working successfully or not. I am not going to show you the Dry mode in this Demo.
3. Give the name “storage-perimeter” since I am creating a perimeter around the Cloud Storage service. We are blocking the storage service for specific projects. Select the default perimeter type and move next.
4. Next, select the project. Add the project. I have selected 2 projects(Host-Project and My First Project)wherein this service perimeter is going to run/apply.
5. Now add the service to restrict it.I have added Google Cloud storage API
6. Time to verify the selected projects to see if the cloud storage service is restricted or not. Let’s log in to each project one by one, and will show you the output.
Access Context Manager
Now let’s look at Access Context Manager and how to use it in the Service Control Policy. Since we have created a cloud storage perimeter within the perimeter but if you are trying to connect this storage API outside of the project, you will not be able to access it. So, to make it possible for the user to connect to this cloud storage even when the perimeter is enabled.
- Let’s go back to the console and go to Security. Click on “Access Context Manager” and create an Access Level based on IP and Geo-location. In my case, it would be my System’s public IP and the location is US. To get the public IP, type “get my ip” in Google.
Create Access Level, Give it a name, give your IP, and Geographic Location.
2. Next, go back to VPC Service Control. We have to edit the Perimeter that we have created for storage. Edit it and select the Access Level. Here you need to choose the Access level that you have just created in the first Step. Once Done, Save it.
3. Now let’s verify if we are able to create a bucket in the protected project.
I can create a bucket even though the storage API is parameterized. Access Context Manager Provides access based on the request attributes. This proves that even though you have full admin access to certain resources, the VPC service perimeter will create another layer of boundary to restrict access.
Ingress policy
So far, we have implemented storage perimeter on two projects to restrict cloud storage APIs within those projects. After that, we created Access Control to allow access to storage APIs based on certain attributes like IP and Location. We haven’t configured the ingress and Egress Policy. We will configure the Ingress policy later in this section, and once it’s configured, it will reflect in this configuration. Let’s move ahead with Ingress.
Ingress use case: Now, what if I want to allow a virtual machine from another project to access the storage APIs, which are covered under the storage perimeter? To achieve this, we can use ingress to incorporate it into the policy.
Let’s first create a VM with public IP in ProjectC
If you SSH into it and try to access a file in the bucket, it would throw an Access Denied exception.
Let’s implement an Ingress policy to allow it. Go back to Console, Select Organization, and go to VPC service Control.
Edit the Service Perimeter, select Ingress Policy, and Add Rule. In the Rule, you will find FROM attributes of the API client and TO attributes of GCP services/resources.
In From Attributes: Select the Source: Project and Add the project where you just deployed the VM.
Identity: Add the default service Account of the VM
In TO attributes: Select the “selected Projects” and Add it.
4. Let’s Verify again. SSH into the VM and run the gsutil command, and you will be able to access your file within this bucket.
Congratulations. You have successfully configured and verified VPC service Control in Actions and their expected outputs. I hope this article is useful for you.
📌 Summary
VPC Service Controls offer an extra layer of protection for your GCP environment by:
Restricting service access based on network context
Preventing accidental or malicious data leaks
Enforcing strict boundaries around your cloud resources
It’s especially useful for organizations handling sensitive or regulated data.
Subscribe to my newsletter
Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Mostafa Elkattan
Mostafa Elkattan
Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.