5

We are planning to use Big Query and Cloud Storage but have questions regarding access via VPN/VPC.

As Big Query, GCS are managed services is it correct to assume that it is not possible to restrict access to project level buckets and data sets to connections inbound to the VPC.

As we understand it, these services authenticate against Googles Global API Infrastructure and by definition are publicly exposed.

Is it possible to restrict access to Google Managed Services to a inbound VPC connection and remove public / internet based authentication and authorization for our projects?

Alex
  • 626
  • 1
  • 5
  • 17
K2J
  • 2,303
  • 4
  • 23
  • 33

2 Answers2

3

Regrettably, what you propose cannot be done.

If the authentication provided has access to the content, access will be granted; if it doesn't, it won't.

The network from which the content is being accessed is not taken into consideration. The Compute Engine firewall also doesn't apply because, much like the Google Cloud Load Balancer, Google Cloud Storage components don't live inside your project's VPC network.

Alex
  • 626
  • 1
  • 5
  • 17
3

This is achieved by using VPC Service Controls, which right now (October 2018) is in private beta - and requires quite a bit of work:

https://cloud.google.com/vpc-service-controls/

Svyatoslav Pidgorny
  • 353
  • 2
  • 9
  • 1
    This is correct solution on GCP as of Aug 2019. However, keep in mind that this service is like firewall. Google Cloud services are still exposed to public network, you can limit access by defining firewall rules. – chhantyal Aug 27 '19 at 14:55