GCP VPC Service Control: Allow access to a subset of Service Projects that belong to the same Host Project

Question

I've the following GCP resources:

• Project "network" peered to a Host Project "Apps1".
• The Project "network" contains a bucket "test-bucket"
• "Apps1" has a VPC with 2 snets: "snet-dev" and "snet-rec"
• "Apps1" attach two Service Projects:
  • The Service Project "project-dev" uses the Snet "snet-dev"
  • The Service Project "project-rec" uses the Snet "snet-rec"

My Service Perimeter protects three projects: network, Apps1 and project-rec. It protects Google Cloud Storage API, Pub/Sub, GKE Connect API and Kubernetes Engine API.

gsutil ls gs://test-bucket/ gives the following results:

• From Internet: === KO (expected result)
• From an instance in the Project "network" === OK (expected result)
• From an instance in "project-rec" that uses the Snet from "Apps1" === OK (expected result)
• From an instance in "project-dev" that uses the Snet from "Apps1" === OK (not expected result)

Is it possible to have different perimeters on Service Projects that belong to the same Host Project? If so, what I'm doing wrong?

Thanks.

Answer 1

Currently, VPC Service Controls (VPC-SC) can only segment resources by VPC networks i.e. all VMs / Pods in a Shared VPC network always belong to the same Service Perimeter (segment) created by VPC-SC. Sub-VPC segmentation is currently not supported by VPC-SC.

By adding Apps1 to the Service Perimeter, all sub-nets of the Shared VPC(s) in the host Project are part of that Perimeter. Thus, the product is behaving as expected here as "project-dev", "snet-dev", "project-rec", and "snet-rec" are in the same service perimeter.

Answer 2

Concept of Shared VPC allows you to centrally control VPC assets. However Google Cloud Storage is not a member of VPC, it's part of public apis. So you may not be able to control bucket access through shared VPC.

I am not sure but if you enable private google access you could potentially achieve this.