This chapter covers VPC Service Controls (VPC SC), a critical security feature in Google Cloud that protects the data within managed services from exfiltration. For the ACE exam, understanding VPC SC is essential for the Security Compliance domain (Objective 5.2), and it appears in approximately 5-10% of exam questions. You will learn how VPC SC creates a security perimeter around Google Cloud services, how it differs from IAM and VPC firewall rules, and how to configure it to prevent data exfiltration while allowing legitimate access.
Jump to a section
Imagine a corporate headquarters with a secure inner corridor that connects several high-security rooms (like a data center with a vault). Each room has its own door, but to prevent anyone from walking through the corridor and entering any room, the company installs a series of guarded doors at every entrance to the corridor. These guards check every person and package against a strict list: only people with specific badges (authorized identities) and packages with approved labels (allowed APIs) may pass. Even if someone sneaks into the main building (the public internet), they cannot even see the corridor doors unless they are on the approved list. Moreover, the guards also prevent any data from leaving the corridor without explicit approval (exfiltration prevention). This is exactly how VPC Service Controls work: they create a secure perimeter around Google Cloud services, blocking all access from outside the perimeter unless explicitly allowed, and preventing data from moving out of the perimeter to unauthorized destinations.
What is VPC Service Controls and Why It Exists
VPC Service Controls (VPC SC) is a Google Cloud security feature that allows you to define a security perimeter around the resources of managed services (like BigQuery, Cloud Storage, Bigtable, etc.) to protect them from data exfiltration. Unlike IAM, which controls who can access a resource, VPC SC controls *where* access can come from and *where* data can go. It is designed to mitigate the risk of data exfiltration by unauthorized users or compromised applications, even if they have valid IAM permissions.
The primary use case is to prevent data from being copied from a managed service to an external, unauthorized destination. For example, a malicious insider with IAM access to a BigQuery dataset could export data to an external Cloud Storage bucket. VPC SC can block that export if the destination is outside the perimeter.
How VPC Service Controls Work Internally
VPC SC operates by intercepting API calls to supported Google Cloud services. When a request is made to a service that is protected by a VPC SC perimeter, the service checks the request against the perimeter's configuration. The perimeter defines: - Service perimeter: The set of Google Cloud services that are protected (e.g., BigQuery, Cloud Storage, Bigtable). - Access levels: Conditions such as IP ranges, device policy, or identity that are required for access. - Ingress rules: Allow traffic from outside the perimeter to specific resources inside. - Egress rules: Allow traffic from inside the perimeter to specific resources outside.
If the request does not match the allowed access levels or violates ingress/egress rules, the request is denied with a 403 PERIMETER_DENIED error. The check happens at the API layer, not at the network layer, so it works even if the client is on the same VPC network.
Key Components, Values, and Defaults
Service Perimeter: A named object that includes a set of projects and services. The default mode is "dry run" (no enforcement) until you switch to "enforced".
Access Levels: Defined using Access Context Manager. Can be based on IP subnet, device policy, or custom conditions.
Ingress Rules: Allow access from outside the perimeter. You specify source (access levels or identities) and destination (services and resources).
Egress Rules: Allow data to leave the perimeter to external destinations. You specify source (services and resources) and destination (external services or resources).
Restricted Services: The list of services that are protected by the perimeter. Default is all supported services, but you can limit.
VPC Accessible Services: Services that can be accessed via VPC networks (Private Google Access or VPC peering).
Default behavior: When a perimeter is created in enforced mode, all API calls to protected services from outside the perimeter are denied unless explicitly allowed by ingress rules. All data movement from inside to outside is denied unless explicitly allowed by egress rules.
Configuration and Verification
VPC SC is configured using the gcloud access-context-manager command-line tool or the Google Cloud Console. Here's a typical workflow:
Create an access level:
gcloud access-context-manager levels create corp_network \
--title="Corporate Network" \
--basic-level-spec="conditions.yaml"Create a service perimeter:
gcloud access-context-manager perimeters create my_perimeter \
--title="My Perimeter" \
--resources="projects/123456789" \
--restricted-services="bigquery.googleapis.com,storage.googleapis.com" \
--access-levels="corp_network" \
--enable-restricted-servicesAdd ingress rules (example: allow access from a specific VPC network):
gcloud access-context-manager perimeters update my_perimeter \
--add-ingress-policies="ingress_policy.yaml"Add egress rules (example: allow export to a specific external bucket):
gcloud access-context-manager perimeters update my_perimeter \
--add-egress-policies="egress_policy.yaml"To verify, you can check the status:
gcloud access-context-manager perimeters describe my_perimeterInteraction with Related Technologies
IAM: VPC SC works in addition to IAM. A user must have both IAM permissions AND be within the perimeter (or meet ingress rules) to access a resource. IAM alone is not sufficient.
VPC Firewall Rules: VPC SC operates at the API level, not the network level. Firewall rules control network traffic (IP/port), while VPC SC controls API calls. They are complementary.
Private Google Access: Allows VMs without external IPs to access Google APIs. VPC SC can restrict which APIs are accessible.
Cloud NAT: Used for outbound internet access. VPC SC can block egress from services even if Cloud NAT is configured.
Access Context Manager: The framework that defines access levels and perimeters. VPC SC is a feature of Access Context Manager.
Supported Services
As of the ACE exam, supported services include but are not limited to:
BigQuery
Cloud Storage
Bigtable
Cloud Spanner
Cloud SQL
Cloud Dataflow
Cloud Pub/Sub
Cloud Dataproc
Cloud Functions
Cloud Run
Compute Engine (for accessing other services)
For the latest list, refer to the Google Cloud documentation.
Limitations and Edge Cases
VPC SC does not protect data at rest; it protects API access. Data encryption is separate.
VPC SC perimeters are regional? No, perimeters are global but can be scoped to specific projects.
VPC SC does not apply to all Google Cloud services; only those listed as restricted services.
VPC SC can be bypassed if a service does not support it (e.g., some third-party services).
VPC SC does not control access to the Google Cloud Console; that is handled by IAM and Access Context Manager separately.
VPC SC can be used with VPC-SC perimeters that span multiple projects, but all projects must be in the same organization.
Troubleshooting
Common errors:
- 403 PERIMETER_DENIED: The request violated a perimeter rule. Check access levels, ingress, and egress rules.
- 403 INVALID_ARGUMENT: Configuration error, such as invalid project ID or service name.
- 403 ACCESS_LEVEL_VIOLATION: The requester does not meet the access level conditions.
To diagnose, use the gcloud access-context-manager perimeters describe command and review the audit logs. Enable dry-run mode first to test without enforcement.
Best Practices
Start with dry-run mode to test policies before enforcement.
Use the principle of least privilege: allow only necessary ingress and egress.
Combine with IAM to ensure users have only needed permissions.
Monitor audit logs for denied requests.
Regularly review and update access levels and perimeters.
Summary of Mechanism
When a request is made to a protected service: 1. The service receives the request and checks if the project is inside a VPC SC perimeter. 2. If yes, it checks the requester's access level (IP, device, etc.). 3. If the requester is outside the perimeter, it checks ingress rules. 4. If the request is to move data outside, it checks egress rules. 5. If any check fails, the request is denied with a 403 error. 6. If all checks pass, the request is allowed (subject to IAM).
This mechanism ensures that even with valid IAM permissions, data cannot be exfiltrated outside the perimeter without explicit rules.
Configuration Example: Restrict BigQuery Access to Corporate Network
Assume you want to allow BigQuery access only from the corporate IP range 203.0.113.0/24 and block all exports to external locations.
Create access level:
# conditions.yaml
- ipSubnetworks:
- 203.0.113.0/24Create perimeter:
gcloud access-context-manager perimeters create corp_bq_perimeter \
--title="Corporate BigQuery Perimeter" \
--resources="projects/my-project" \
--restricted-services="bigquery.googleapis.com" \
--access-levels="corp_network" \
--enable-restricted-servicesNo egress rules by default, so all data exports are blocked.
If you need to allow export to a specific Cloud Storage bucket for reporting, add an egress rule.
This configuration ensures that BigQuery can only be queried from the corporate network, and results cannot be exported anywhere unless explicitly allowed.
Identify Resources to Protect
List the Google Cloud projects and the specific managed services (e.g., BigQuery, Cloud Storage) that contain sensitive data. For the ACE exam, remember that VPC SC protects API access to these services, not the network layer. You must know which services are supported; the exam may test that Compute Engine itself is not a restricted service, but it can be used to access other services. The perimeter is defined at the project level, so all resources in the project are protected unless you specify exceptions.
Define Access Levels
Using Access Context Manager, create access levels that specify the conditions under which access is allowed. Common conditions include IP subnet ranges (e.g., corporate VPN), device policy (e.g., managed devices), or custom attributes. These levels are referenced in the perimeter. On the exam, know that access levels are evaluated at the time of request and can be combined with AND/OR logic. For example, an access level might require both a specific IP range and a device certificate.
Create Service Perimeter
Create a service perimeter object that includes the projects and the list of restricted services. Use the `--enable-restricted-services` flag to enforce the perimeter. The default mode is dry run, which logs violations but does not deny access. To enforce, you must update the perimeter to use `--enforcement-mode=enforced`. The exam may test that you can have multiple perimeters for different sets of projects or services.
Configure Ingress Rules
If you need to allow access from outside the perimeter (e.g., from a partner's network), define ingress rules. These rules specify which access levels or identities are allowed, and which services and resources they can access. Ingress rules are evaluated before the request is processed. The exam may ask that ingress rules can be used to allow access from a specific VPC network via VPC accessible services.
Configure Egress Rules
If you need to allow data to leave the perimeter (e.g., export query results to an external bucket), define egress rules. These rules specify the source services and resources, and the destination external services or resources. Without egress rules, all data movement outside the perimeter is blocked. The exam may test that egress rules can be used to allow data to flow to a specific Cloud Storage bucket in a different project.
Test in Dry Run Mode
Before enforcing, set the perimeter to dry run mode. This logs all violations without blocking access. Review the audit logs to ensure the rules are correct. The exam may ask that dry run is essential for testing; you can switch between dry run and enforced using the `--enforcement-mode` flag. Common mistake: candidates forget to test and accidentally block all access.
Enforce and Monitor
Once testing is complete, switch to enforced mode. Monitor Cloud Audit Logs for `PERIMETER_DENIED` errors. Use these logs to fine-tune access levels and rules. The exam may test that you can use the `gcloud logging read` command to filter for perimeter violations. Also, remember that VPC SC does not affect Google Cloud Console access; that is controlled by IAM and Access Context Manager separately.
Enterprise Scenario 1: Financial Services Data Lake
A large bank uses BigQuery and Cloud Storage to store customer transaction data. They need to ensure that data cannot be exfiltrated to unauthorized external systems, even by privileged users. They deploy VPC SC with a perimeter that includes all projects containing sensitive data. Access is restricted to the corporate network (IP range 10.0.0.0/8) via an access level. Egress rules are configured to allow data exports only to a specific Cloud Storage bucket in a separate project used for regulatory reporting. All other exports are blocked. In production, they run in dry run for two weeks to catch any legitimate access patterns that were missed. After enforcement, they monitor audit logs daily. A common issue is that developers often forget to add egress rules for legitimate data pipelines, causing failures. The solution is to use dry run and review logs before enforcement.
Enterprise Scenario 2: Healthcare Research Platform
A healthcare organization uses Cloud Spanner and Cloud Storage for patient data. They allow researchers to access de-identified data from their personal devices, but only via a VPN. They create an access level that requires the user to be on the VPN IP range (203.0.113.0/24) and have a device certificate. They also allow egress to a specific Cloud Storage bucket for approved data exports. The perimeter includes the projects containing the Spanner instances and storage buckets. In production, they have to handle the case where researchers need to access data from a conference network; they temporarily add an ingress rule for that IP range. The main performance consideration is that VPC SC adds minimal latency because it checks at the API layer. Misconfiguration often occurs when egress rules are too permissive (e.g., allowing all Cloud Storage buckets), defeating the purpose.
Enterprise Scenario 3: Multi-Tenant SaaS Provider
A SaaS provider runs multiple customer environments in separate projects. They use VPC SC to isolate each customer's data. Each customer's project is in its own perimeter, with access restricted to the customer's IP range. Ingress rules allow the customer's support team to access specific services. Egress rules are very restrictive, only allowing data to flow to the customer's own storage buckets. They use Access Context Manager with custom attributes to identify each customer. A common mistake is creating perimeters that are too broad, accidentally including projects from different customers. They use organizational policies to enforce that all projects must be in a perimeter. Performance is not an issue, but managing many perimeters can become complex; they use infrastructure-as-code (Terraform) to manage configurations.
What the ACE Exam Tests
The ACE exam focuses on Objective 5.2: "Configuring VPC Service Controls." You should know:
How to create and manage service perimeters using gcloud commands.
The difference between dry run and enforced modes.
How access levels work and how to define them.
The purpose of ingress and egress rules.
Which services are supported (list not exhaustive, but know BigQuery, Cloud Storage, Bigtable, Cloud Spanner, Cloud SQL).
How VPC SC complements IAM and VPC firewall rules.
Common Wrong Answers and Why
"VPC Service Controls replace IAM." Wrong: VPC SC works in addition to IAM. Both are required.
"VPC SC blocks network traffic." Wrong: VPC SC blocks API calls, not network packets. Firewall rules block network traffic.
"VPC SC can protect Compute Engine instances." Wrong: Compute Engine is not a restricted service. VPC SC protects managed services, not the VMs themselves.
"You need to configure egress rules to allow normal API calls." Wrong: Ingress rules control incoming API calls; egress rules control data leaving the perimeter. Normal API calls from inside the perimeter are allowed by default.
Specific Numbers and Terms
Default mode: dry run. To enforce, set --enforcement-mode=enforced.
Error code: 403 PERIMETER_DENIED.
Command: gcloud access-context-manager perimeters create.
Access levels are defined using gcloud access-context-manager levels create.
Supported services: at least BigQuery, Cloud Storage, Bigtable, Cloud Spanner, Cloud SQL.
Edge Cases and Exceptions
VPC SC does not apply to the Google Cloud Console. Console access is controlled by IAM and Access Context Manager separately.
VPC SC perimeters are global, not regional. They apply to all regions where the service is available.
If a project is in multiple perimeters, the most restrictive rules apply.
VPC SC can be used with VPC peering or Private Google Access, but the perimeter checks still apply at the API level.
How to Eliminate Wrong Answers
If the question mentions "data exfiltration prevention," the answer likely involves VPC SC, not firewall rules.
If the question mentions "restricting access based on IP address," it might be VPC SC access levels or firewall rules. Look for keywords like "API access" vs "network access."
If the question says "allow access from on-premises," think about ingress rules or Private Google Access.
If the question says "block export to external bucket," think about egress rules.
Remember that VPC SC does not affect IAM; if the question is about who can access, it's IAM. If it's about where they can access from, it's VPC SC.
VPC Service Controls prevent data exfiltration from managed services by creating a security perimeter around API access.
Dry run mode logs violations without blocking; enforced mode blocks violating requests.
Access levels define conditions (IP, device) for access; ingress rules allow inbound traffic; egress rules allow outbound data movement.
VPC SC complements IAM: both must allow access for a request to succeed.
Supported services include BigQuery, Cloud Storage, Bigtable, Cloud Spanner, Cloud SQL, and others.
Common error code: 403 PERIMETER_DENIED.
VPC SC does not apply to Compute Engine instances or the Google Cloud Console.
These come up on the exam all the time. Here's how to tell them apart.
VPC Service Controls
Controls where access comes from (IP, device).
Blocks data exfiltration via API calls.
Requires explicit ingress/egress rules for external access.
Operates at the API layer.
Uses access levels and perimeters.
IAM
Controls who can access (users, groups).
Does not prevent data exfiltration.
Allows access from anywhere by default if permissions are granted.
Operates at the resource level.
Uses roles and policies.
Mistake
VPC Service Controls replace IAM for access control.
Correct
VPC SC works alongside IAM. IAM controls who can access a resource; VPC SC controls from where and under what conditions. Both must be satisfied for access to be granted.
Mistake
VPC Service Controls block network traffic like firewall rules.
Correct
VPC SC operates at the API layer, not the network layer. It intercepts API calls to managed services. Firewall rules control IP and port traffic at the network level.
Mistake
VPC Service Controls can protect Compute Engine instances directly.
Correct
Compute Engine is not a restricted service. VPC SC protects managed services like BigQuery and Cloud Storage, not the VMs themselves.
Mistake
Once a perimeter is enforced, all access from outside is blocked and cannot be allowed.
Correct
Ingress rules can explicitly allow access from outside the perimeter based on access levels or identities. Egress rules can allow data to leave.
Mistake
VPC Service Controls apply to all Google Cloud services.
Correct
Only specific services are supported as restricted services. The list includes BigQuery, Cloud Storage, Bigtable, Cloud Spanner, Cloud SQL, and others, but not all services.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
VPC Service Controls protect API access to managed services (e.g., BigQuery, Cloud Storage) by blocking or allowing API calls based on access levels and perimeters. VPC firewall rules control network traffic at the IP and port level for virtual machine instances. They operate at different layers: VPC SC at the API layer, firewall at the network layer. Both are complementary; you might use both to secure your environment.
Yes. You can configure ingress rules to allow access from on-premises networks by specifying the on-premises IP range in an access level. You can also use Private Google Access or Cloud VPN to route traffic through Google's network. The perimeter checks still apply to API calls originating from on-premises.
Use dry run mode when creating or updating a perimeter. In dry run, violations are logged but not enforced. Review the audit logs to see which requests would be blocked. Once you are confident, switch to enforced mode using the `--enforcement-mode=enforced` flag.
No. VPC SC does not directly affect access to the Google Cloud Console. Console access is controlled by IAM and Access Context Manager separately. However, if you try to access a protected service via the Console from an IP outside the perimeter, the API call will be blocked, and you may see an error.
If a project belongs to multiple perimeters, the most restrictive set of rules applies. For example, if one perimeter allows access from IP range A and another allows from IP range B, only requests from the intersection (if any) may be allowed. It is best practice to avoid overlapping perimeters.
Yes, Cloud Functions is one of the supported services. You can add it to the restricted services list in a perimeter. This means that Cloud Functions can only be invoked from within the perimeter unless ingress rules allow external access.
You can create an ingress rule that allows access based on the user's identity (using `members` in the ingress policy). For example, you can allow a specific user or group to access the service even if their IP is outside the allowed range. This is useful for remote employees.
You've just covered VPC Service Controls — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?