This page shows you how to protect your Managed Lustre instances with a service perimeter using VPC Service Controls.
VPC Service Controls protect against data exfiltration and provide an extra layer of security for your instances. For more information about VPC Service Controls, see Overview of VPC Service Controls.
Once the Managed Lustre API is protected by a service perimeter, Managed Lustre API requests coming from clients outside of the perimeter must have the proper access level rules.
Securing your Google Cloud Managed Lustre instances using VPC Service Controls
Add the Managed Lustre API to your service perimeter. For instructions on adding a service to your service perimeter, see Updating a service perimeter.
Limitations of VPC Service Controls for Managed Lustre instances
The following limitations apply when using VPC Service Controls with Managed Lustre:
- VPC Service Controls doesn't support customer-managed encryption keys (CMEK) in Managed Lustre. If you attempt to create a CMEK-protected instance within a service perimeter, the instance creation operation fails.
- To transfer data between Managed Lustre and Cloud Storage,
the project containing the Cloud Storage bucket must be within the same
service perimeter as the Managed Lustre instance. To import
or export data outside the perimeter, you must configure an
egress rule to allow the
Managed Lustre service agent
(
service-PROJECT_NUMBER@gcp-sa-lustre.iam.gserviceaccount.com) to access the bucket. - If you use both Shared VPC and VPC Service Controls, the host project that contains the network and the service project that contains the Managed Lustre instance must both be inside the same perimeter. Separating the host project and service project with a perimeter can cause existing instances to become unavailable and can prevent creation of new instances.