Infrastructure controls for generative AI use cases

This document includes the best practices and guidelines for Google Cloud services such as Pub/Sub, Dataflow, and Cloud Run functions when running generative AI workloads on Google Cloud.

Define VM instances that can enable IP forwarding

Google control ID	VPC-CO-6.3
Implementation	Required
Description	The `compute.vmCanIpForward` constraint defines the VM instances that can enable IP forwarding. By default, any VM can enable IP forwarding in any virtual network. Specify VM instances using one of the following formats: `under:organizations/ORGANIZATION_ID` `under:folders/FOLDER_ID` `under:projects/PROJECT_ID` `projects/PROJECT_ID/zones/ZONE/instances/INSTANCE_NAME`. This constraint isn't retroactive.
Applicable products	Organization Policy Service Virtual Private Cloud (VPC) Compute Engine
Path	`constraints/compute.vmCanIpForward`
Operator	`=`
Value	`Your list of VM instances that can enable IP forwarding.`
Type	List
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Recommendations Enable IP forwarding for instances

Disable VM-nested virtualization

Google control ID	VPC-CO-6.6
Implementation	Required
Description	The `compute.disableNestedVirtualization` boolean constraint disables hardware-accelerated nested virtualization for Compute Engine VMs.
Applicable products	Organization Policy Service Virtual Private Cloud (VPC) Compute Engine
Path	`constraints/compute.disableNestedVirtualization`
Operator	`Is`
Value	`True`
Type	Boolean
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Manage the nested virtualization constraint

Restrict external IP addresses on VMs

Google control ID	VPC-CO-6.2
Implementation	Required
Description	Unless needed, prevent the creation of Compute Engine instances with public IP addresses. The `compute.vmExternalIpAccess` list constraint defines the set of Compute Engine VM instances that can have external IP addresses. Prevent Compute Engine instances from having external IP addresses to drastically reduce their exposure to the internet. Any instance with an external IP address is immediately discoverable and becomes a direct target for automated scans, brute-force attacks, and attempts to exploit vulnerabilities. Instead, require instances to use private IP addresses and manage access through controlled, authenticated, and logged pathways like the Identity-Aware Proxy (IAP) tunnel or a bastion host. Adopting this deny-by-default posture is a foundational security best practice that helps minimize your attack surface and enforces a zero-trust approach to your network. This constraint isn't retroactive.
Applicable products	Organization Policy Service Virtual Private Cloud (VPC) Compute Engine
Path	`constraints/compute.vmExternalIpAccess`
Operator	`=`
Value	`The list of VM instances in your organization that can have external IP addresses.`
Type	List
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Restrict external IP addresses to specific instances

Define permitted external IP addresses for VM instances

Google control ID	CBD-CO-6.3
Implementation	Required
Description	The `compute.vmExternalIpAccess` list constraint lets you restrict external access to virtual machines by not assigning external IP addresses. Configure this list constraint to deny all external IP addresses to virtual machines.
Applicable products	Organization Policy Service Compute Engine
Path	`compute.vmExternalIpAccess`
Operator	`=`
Value	`Deny All`
Type	List
Related NIST-800-53 controls	AC-3 AC-12 AC-17 AC-20
Related CRI profile controls	PR.AC-3.1 PR.AC-3.2 PR.AC-4.1 PR.AC-4.2 PR.AC-4.3 PR.AC-6.1 PR.AC-7.1 PR.AC-7.2 PR.PT-3.1 PR-PT-4.1
Related information	Restrict external IP addresses to specific instances

Require VPC connector for Cloud Run functions

Google control ID	CF-CO-4.4
Implementation	Required
Description	The `cloudfunctions.requireVPCConnector` boolean constraint requires that administrators specify a Serverless VPC Access connector when they deploy a Cloud Run function. When enforced, functions must specify a connector.
Applicable products	Organization Policy Service Cloud Run functions
Path	`constraints/cloudfunctions.requireVPCConnector`
Operator	`=`
Value	`True`
Type	Boolean
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Connect to a VPC network

Configure message storage policies

Google control ID	PS-CO-4.1
Implementation	Optional
Description	If you publish messages to the global Pub/Sub endpoint, Pub/Sub automatically stores the messages in the nearest Google Cloud region. To control which regions your messages are stored in, configure a message storage policy on your topic. Use one of the following ways to configure message storage policies for topics: Set a message storage policy using the Resource Location Restriction (`gcp.resourceLocations`) organization policy constraint. Configure a message storage policy when creating a topic. For example: `gcloud pubsub topics create TOPIC_ID \--message-storage-policy-allowed-regions=REGION1, REGION2`
Applicable products	Organization Policy Service Pub/Sub
Related NIST-800-53 controls	AC-3 AC-17 AC-20
Related CRI profile controls	PR.AC-3.1 PR.AC-3.2 PR.AC-4.1 PR.AC-4.2 PR.AC-4.3 PR.AC-6.1 PR.PT-3.1 PR.PT-4.1
Related information	Configure message storage policies

Turn off external IP addresses for Dataflow jobs

Google control ID	DF-CO-6.1
Implementation	Optional
Description	Turn off external IP addresses for administrative and monitoring tasks that are related to Dataflow jobs. Instead, configure access to your Dataflow worker VMs using SSH. Enable Private Google Access and specify one of the following options in your Dataflow job: `--usePublicIps=false` and `--network=NETWORK-NAME` `--subnetwork=SUBNETWORK-NAME` Where: `NETWORK-NAME`: The name of your Compute Engine network. `SUBNETWORK-NAME`: The name of your Compute Engine subnetwork.
Applicable products	Compute Engine Dataflow
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Choose an access method Configure Private Google Access

Use network tags for firewall rules

Google control ID	DF-CO-6.2
Implementation	Optional
Description	Network tags are text attributes that attach to Compute Engine VMs such as Dataflow worker VMs. Network tags let you make VPC network firewall rules and some custom static routes applicable to specific VM instances. Dataflow supports adding network tags to all worker VMs that run a particular Dataflow job.
Applicable products	Compute Engine Dataflow
Related NIST-800-53 controls	SC-7 SC-8
Related CRI profile controls	PR.AC-5.1 PR.AC-5.2 PR.DS-2.1 PR.DS-2.2 PR.DS-5.1 PR.PT-4.1 DE.CM-1.1 DE.CM-1.2 DE.CM-1.3 DE.CM-1.4
Related information	Network tags for Dataflow

What's next

Review data management controls.
See more Google Cloud security best practices and guidelines for generative AI workloads.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-09 UTC.