VPC Service Controls define security perimeters around GCP resources and prevent data exfiltration at the API level.
What are VPC Service Controls?
VPC Service Controls are a security layer that protects Google Cloud services through perimeters. Think of an invisible fence around your sensitive data: even if an attacker has valid credentials, they cannot copy data out of the perimeter.
Protection operates at the API level, not the network level. A compromised service account can access BigQuery but cannot export data to an external project. This is crucial for defense-in-depth: even with successful credential theft, data exfiltration remains blocked.
VPC Service Controls integrate with Access Context Manager for context-based access decisions. You can restrict access based on IP address, device status, or identity.
Common Use Cases
Protecting Sensitive Data in BigQuery
A financial services company stores customer data in BigQuery. A service perimeter protects the project. Analysts can run queries but cannot export data to other projects or local files. Even admins with full BigQuery permissions cannot bypass the perimeter.
Multi-Project Perimeter for Compliance
A healthcare company groups all HIPAA-relevant projects into one perimeter. Cloud Storage, BigQuery, and Vertex AI within the perimeter can communicate. Data exchange with unprotected projects is blocked, simplifying compliance.
Development Environment with Dry-Run
A company plans to implement VPC Service Controls. They create the perimeter in dry-run mode. All potential blocks are logged in Cloud Logging. After two weeks of log analysis, they enable enforcement mode.
Context-Based Access Control
A company allows access to sensitive data only from the corporate network. Access levels define that accesses from outside corporate IP ranges are blocked. Remote employees must access via VPN.
Perimeter Bridges for Controlled Communication
Two teams have separate perimeters. For a shared analytics project, a perimeter bridge is configured. Teams can exchange defined data without fully opening their perimeters.
Integration with innFactory
As a Google Cloud Partner, innFactory supports you in implementing VPC Service Controls: from perimeter planning through dry-run to production enforcement.
Contact us for a security consultation.
Available Tiers & Options
VPC Service Controls
- Free to use
- No infrastructure required
- Policy-based
- Requires careful planning
Typical Use Cases
Technical Specifications
Frequently Asked Questions
What are VPC Service Controls?
VPC Service Controls define security perimeters around Google Cloud resources. Within a perimeter, services can communicate; access from outside is blocked. This prevents data exfiltration even with compromised credentials.
Which services support VPC Service Controls?
Most GCP services are supported, including BigQuery, Cloud Storage, Cloud SQL, Vertex AI, GKE, Pub/Sub, Spanner, and many more. The list grows continuously with new services.
What is the difference from VPC Firewall Rules?
Firewall Rules control network traffic at the IP/port level. VPC Service Controls operate at the API level and prevent data exfiltration from protected services, even with valid credentials.
How much do VPC Service Controls cost?
VPC Service Controls themselves are free. There are no additional fees for creating and using service perimeters. Protected services are billed normally.
How does dry-run mode work?
In dry-run mode, access violations are logged but not blocked. This allows testing perimeter configurations in production before enabling enforcement mode.
