Secure instances with VPC Service Controls

This page shows you how to protect your Managed Lustre instances with a service perimeter using VPC Service Controls.

VPC Service Controls protect against data exfiltration and provide an extra layer of security for your instances. For more information about VPC Service Controls, see Overview of VPC Service Controls.

Once the Managed Lustre API is protected by a service perimeter, Managed Lustre API requests coming from clients outside of the perimeter must have the proper access level rules.

Securing your Google Cloud Managed Lustre instances using VPC Service Controls

  1. Create a service perimeter.

  2. Add the Managed Lustre API to your service perimeter. For instructions on adding a service to your service perimeter, see Updating a service perimeter.

Use VPC Service Controls with customer-managed encryption keys (CMEK)

When creating a CMEK-protected Managed Lustre instance within a VPC Service Controls perimeter, your Cloud KMS key must be either:

  • Within the same VPC Service Controls perimeter; or
  • Accessible through an egress rule.

When the CMEK-protected instance and the Cloud KMS keys are in the same perimeter, no further configuration is required.

If the Cloud KMS keys are outside of the perimeter, add the following rule to your VPC Service Controls perimeter:

{
  "egressFrom": {
    "identityType": "ANY_SERVICE_ACCOUNT",
    "sourceRestriction": "SOURCE_RESTRICTION_ENABLED",
    "sources": [
      {
        "resource": "projects/CONSUMER_PROJECT_NUMBER"
      }
    ]
  },
  "egressTo": {
    "operations": [
      {
        "methodSelectors": [{"method": "*"}],
        "serviceName": "cloudkms.googleapis.com"
      }
    ],
    "resources": [
      "projects/KMS_PROJECT_NUMBER"
    ]
  }
}

Replace the placeholders as follows:

  • CONSUMER_PROJECT_NUMBER is the project number of the project that will contain your CMEK-protected Managed Lustre instance.
  • KMS_PROJECT_NUMBER is the project number of the project containing your Cloud Key Management Service keys.

Learn how to find a project number.

Limitations of VPC Service Controls for Managed Lustre instances

The following limitation applies when using VPC Service Controls with Managed Lustre:

  • If you use both Shared VPC and VPC Service Controls, the host project that contains the network and the service project that contains the Managed Lustre instance must both be inside the same perimeter. Separating the host project and service project with a perimeter can cause existing instances to become unavailable and can prevent creation of new instances.