This document shows how to configure VPC Service Controls to support the Data Engineering Agent. You can use VPC Service Controls with the Data Engineering Agent to mitigate the risk of data exfiltration.
To learn more about VPC Service Controls, see Overview of VPC Service Controls.
Limitations
- Gemini Data Analytics (
geminidataanalytics.googleapis.com), Dataform (dataform.googleapis.com), BigQuery (bigquery.googleapis.com), Knowledge Catalog (dataplex.googleapis.com), and Cloud Storage (storage.googleapis.com) must all be restricted within the same VPC Service Controls service perimeter. - The same limitations that apply to Dataform within a
VPC Service Controls perimeter also apply when using Gemini Data Analytics.
This includes the requirement to set the
dataform.restrictGitRemotesorganization policy. For more information, see Limitations.
Security considerations
When you set up a VPC Service Controls perimeter for Gemini Data Analytics, review the permissions granted to your service agents and accounts, including Dataform service agents and any custom service accounts, to ensure alignment with your security architecture. The permissions granted to these accounts determine their access to resources within the perimeter.
Before you begin
- Ensure that the users or service accounts using Gemini Data Analytics
have the necessary IAM permissions. You can grant the role
roles/geminidataanalytics.dataAgentStatelessUser, which includes the required permissiongeminidataanalytics.locations.useDataEngineeringAgent. These IAM roles are required to interact with the Gemini Data Analytics API, even when calls originate within a VPC Service Controls perimeter. - Before configuring a VPC Service Controls service perimeter, you must set the
dataform.restrictGitRemotesorganization policy. This policy ensures that VPC Service Controls enforces checks when you use Dataform features through Gemini Data Analytics. For more information, see Restrict remote repositories.
Enable APIs
Enable the Gemini Data Analytics, Dataform, BigQuery APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM
role (roles/serviceusage.serviceUsageAdmin), which
contains the serviceusage.services.enable permission. Learn how to grant
roles.
Required roles
To get the permissions that
you need to configure VPC Service Controls service perimeters,
ask your administrator to grant you the
Access Context Manager Editor (roles/accesscontextmanager.policyEditor)
IAM role on the project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
For more information about VPC Service Controls permissions, see Access control with IAM.
Configure VPC Service Controls
When you create a new service perimeter, you must include the following APIs in the same service perimeter:
geminidataanalytics.googleapis.comdataform.googleapis.combigquery.googleapis.comdataplex.googleapis.comstorage.googleapis.com
If you have an existing service, you can update the service perimeter to include the three required APIs within the same service perimeter.
What's next
- To learn more about VPC Service Controls, see Overview of VPC Service Controls.
- To learn more about VPC Service Controls integration in Dataform, see Configure VPC Service Controls for Dataform.
- To learn more about VPC Service Controls integration in BigQuery, see VPC Service Controls for BigQuery.
- To learn more about the Organization Policy Service, see Introduction to the Organization Policy Service Service.