When you run Workload Manager evaluations in projects that are protected by VPC Service Controls, you must configure ingress and egress rules to the service account attached to the Compute Engine instance that runs your Agent for Compute Workloads. These rules let the service account access the required APIs within the VPC Service Controls perimeter. If you don't configure these rules, the agent cannot send data to Workload Manager, and your evaluations fail.
For more information, see Overview of VPC Service Controls.
Before you begin
Before setting up VPC Service Controls for your project, do the following:
- Set up a VPC Service Controls perimeter.
- Identify the service account attached to the Compute Engine instance that runs
your Agent for Compute Workloads. For example,
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com. You can find this on the VM instance details page in the Google Cloud console. - Verify that the service account has the required roles. For example, see Required roles for the agent and SAP workloads.
Required roles
To get the permissions that
you need to configure Workload Manager for use within VPC Service Controls perimeters,
ask your administrator to grant you the
Access Context Manager Editor (roles/accesscontextmanager.policyEditor) IAM role on your project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create ingress and egress rules for a service perimeter
To let the Agent for Compute Workloads communicate with required services, you must configure ingress and egress rules in your VPC Service Controls perimeter.
For more information about how to create ingress rules, see Configuring ingress and egress policies.
Console
In the Google Cloud console, go to the VPC Service Controls page.
Select your project.
Click the name of the service perimeter, and then click Edit.
Click Ingress policy or Egress policy.
Click Add an ingress rule.
In the From section, specify the identity for the service agent:
- For Identities, select Select identities & groups.
- Click Add identities.
- Enter the email address of the agent service account. For example,
sap-example-svc-acct@example-project-123456.iam.gserviceaccount.com.
In the To section, specify the allowed operations:
- For Resources, select All projects.
- For Operations, select Select operations.
- Click Add operations, and then add the following services with All methods selected:
compute.googleapis.comworkloadmanager.googleapis.comsecretmanager.googleapis.com
Click Done, and then click Save.
gcloud
To add the ingress rule, create a YAML file that contains the ingress rule and use the gcloud access-context-manager perimeters update command with the --set-ingress-policies flag.
Create an ingress policy YAML file named
ingress_policy.yamlwith the following contents:- ingressFrom: identities: - serviceAccount:SERVICE_ACCOUNT_EMAIL sources: - accessLevel: '*' ingressTo: operations: - serviceName: compute.googleapis.com methodSelectors: - method: "*" - serviceName: workloadmanager.googleapis.com methodSelectors: - method: "*" - serviceName: secretmanager.googleapis.com methodSelectors: - method: "*" resources: - "*"Replace
SERVICE_ACCOUNT_EMAILwith the email address of the service account attached to the Compute Engine instance that runs the Agent for Compute Workloads.Add the ingress policy to the perimeter:
gcloud access-context-manager perimeters update PERIMETER_NAME \ --set-ingress-policies=ingress_policy.yamlReplace
PERIMETER_NAMEwith the name of your service perimeter. For example,accessPolicies/1234567890/servicePerimeters/example_perimeter.
Troubleshoot VPC Service Controls violations
To view VPC Service Controls violations in your project and troubleshoot issues, use Logs Explorer.
For more information, see Troubleshooting VPC Service Controls.