Firewall rule needed in order to upload to Google Cloud Storage bucket?

Question

I'm connecting an on-premise network with GCP via Cloud VPN. The on-premise application will use a service account to upload to a GCS bucket via a client library (java?).

Assuming a default egress deny firewall, what firewall rule would allow the client library to only upload to a GCS bucket? Do I even need one if the application is connected to VPC via Cloud VPN?

Answer 1

Option#1

If you create a storage transfer service client using Google API, you don't need to create any firewall rules. As per the GCP documentation, "all Storage Transfer Service operations occur without the need for human intervention or user consent, the best authentication flow for a Storage Transfer Service application is server-to-server, using a service account." For more details follow this link.

Google API's are accessed using external IPs, and Cloud Endpoints uses Cloud Identity and Access Management (Cloud IAM) for API access control. You would have to provide the service account accessing the GCS with the right permission.

Option#2

You could also use Private Google Access to allows GCP instances with only private IP addresses to access the public IP addresses for Google APIs and services, in this case, you would require to configure firewall rules in your network. For more details, check out this GCP documentation on "Private Google Access and VPC subnets".