Configure VPC Service Controls for Backup and DR Service

This page gives an overview of VPC Service Controls and how you can integrate it with Backup and DR Service to secure your data and resources.

About VPC Service Controls

VPC Service Controls helps mitigate the risk of data exfiltration from the Backup and DR Service management console. You can use VPC Service Controls to create service perimeters that protect the resources and data of various services. If the Backup and DR Service is protected by a perimeter, resources from outside the perimeter cannot communicate with the management console. However, you can allow resources from outside the service perimeter to access the management console and API. For more information, see allow access to protected resources from outside a perimeter.

For a general overview of VPC Service Controls, its security benefits, and its capabilities across Google Cloud CLI products, see the Overview of VPC Service Controls.

Before you begin

Before you begin to configure VPC Service Controls for Backup and DR Service, do the following:

  1. In the Google Cloud console, on the Project Selector page, select create a Google Cloud CLI project.
  2. Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
  3. Follow the instructions in the Enable APIs section and enable the Access Context Manager API for your project.

Configure access levels and direction policies for backup vault

If the backup/recovery appliance and backup vault are in the same VPC Service Controls perimeter, you don't need to configure access levels and direction policies. Otherwise choose from one of the following configuration scenarios based on your security perimeter configuration requirements.

  • If the backup/recovery appliance and backup vault are in perimeters but they exist in different perimeters:
    • Configure ingress exceptions in the perimeter where backup vault resources exist. Add both backupdr.googleapis.com and storage.googleapis.com in the ingress rule. The source can be the IP address, or the network, or the project in which the backup/recovery appliance is present.
    • Configure egress exceptions in the perimeter where backup/recovery appliances exist. Add both backupdr.googleapis.com and storage.googleapis.com to the egress rule. The target is the project where the backup vault resource exists. You can combine that with the IP address of the backup/recovery appliance, or any other property.
  • If only backup vault resources are in perimeter: Configure ingress exceptions in the perimeter where backup vault resources exist. Add both backupdr.googleapis.com and storage.googleapis.com to the ingress rule. The source can be IP address, network, or project where the backup/recovery appliance is present.
  • If only backup/recovery appliance exists in perimeter: Configure egress exceptions in the perimeter where backup/recovery appliances exist. Add both backupdr.googleapis.com and storage.googleapis.com to the egress rule. The target is the project where the backup vault resource exists. You can combine that with the IP address of the backup/recovery appliance, or any other property.

Configure access levels and direction policies for Compute Engine

If the administrator project and workload project are in the same VPC Service Controls perimeter, you don't need to configure access levels and direction policies. Otherwise choose from one of the following configuration scenarios based on your security perimeter configuration requirements.

  • If both the administrator project and workload project exist in different service perimeters:
    • The administrator project needs to add an egress rule for the backup vault service agent to the workload project for both backupdr.googleapis.com and compute.googleapis.com.
    • The workload project needs to add an ingress rule to allow calls from the backup vault service agent and an egress rule for the backup vault service agent to the administrator project for both backupdr.googleapis.com and compute.googleapis.com.
  • If only the administrator project has a service perimeter: The administrator project needs to add an egress rule for the backup vault service agent to the workload project for both backupdr.googleapis.com and compute.googleapis.com.
  • If only the workload project has a service perimeter: The workload project needs to add an ingress rule to allow calls from the backup vault service agent and an egress rule for the backup vault service agent to the administrator project for both backupdr.googleapis.com and compute.googleapis.com.

Configure VPC Service Controls for Backup and DR Service

Use the following steps to configure VPC Service Controls for Backup and DR Service:

  1. Create a service perimeter
  2. Configure connectivity to Google APIs and services

The following sections describe these steps in detail.

Create a service perimeter

Use the following instructions to create a service perimeter:

  1. In the Google Cloud console, on the project selector page, select the Backup and DR Service project that you want the VPC service perimeter to protect.
  2. Create a service perimeter using the instructions described in Create a service perimeter.
  3. Add the following APIs to the service perimeter in the Restricted Services section:

    • Required: Backup and DR Service API - backupdr.googleapis.com
    • Optional: Compute Engine API - compute.googleapis.com
    • Optional: Resource Manager API - cloudresourcemanager.googleapis.com
    • Optional: Workflows API - workflows.googleapis.com
    • Optional: Cloud Key Management Service API - cloudkms.googleapis.com
    • Optional: Identity and Access Management API - iam.googleapis.com
    • Optional: Cloud Logging API - logging.googleapis.com
    • Optional: Cloud Storage API - storage.googleapis.com
  4. If you're using a Shared VPC, add the host and service projects in the Add Resources section.

Once you set up a perimeter, by default, access to the Backup and DR Service management console and API is only allowed from within the security perimeter.

If a backup/recovery appliance makes cloud API requests to the outside of the service perimeter, for example, to recover a Compute Engine instance to a project or VPC network that is not in the same perimeter, you may see a VPC Service Controls access violation. To allow API requests, you must create appropriate ingress and egress rules in the VPC Service Controls service perimeter for the backup/recovery appliance service account.

Configure connectivity to Google APIs and services

In a VPC Service Controls configuration, to control network traffic, configure access to Google APIs and services through the restricted.googleapis.com domain. This domain blocks access to Google APIs and services that don't support VPC Service Controls. For more information, see domain options.

If you don't configure DNS rules for Google APIs and services, they are resolved using the domain option for default domains.

Backup and DR Service uses the following domains:

  • *.backupdr.cloud.google.com is used to access the management console.
  • *.googleapis.com is used to access other Google services.

Configure connectivity to the following restricted.googleapis.com endpoints in the DNS record section.

Domain DNS name CNAME Record A Record
*.googleapis.com googleapis.com. DNS Name: *.googleapis.com.
Resource record type: CNAME
Canonical name: googleapis.com.
Resource record type: A
IPv4 addresses: 199.36.153.4,
199.36.153.5,
199.36.153.6,
199.36.153.7
*.backupdr.cloud.google.com backupdr.cloud.google.com. DNS Name: *.backupdr.cloud.google.com.
Resource record type: CNAME
Canonical name: backupdr.cloud.google.com.
Resource record type: A
IPv4 addresses:
199.36.153.4,
199.36.153.5,
199.36.153.6,
199.36.153.7
*.backupdr.googleusercontent.com backupdr.googleusercontent.com DNS Name: *.backupdr.googleusercontent.com.
Resource record type: CNAME
Canonical name: backupdr.googleusercontent.com.
Resource record type: A
IPv4 addresses:
199.36.153.4,
199.36.153.5,
199.36.153.6,
199.36.153.7

Create a DNS record

Use the following instructions to create a DNS record:

  1. In the Google Cloud console, go to the Create a DNS zone page.

    Go to Create a DNS zone

  2. For the Zone type, select Private.

  3. In the Zone name field, enter a name. For example, backup-dr-new-zone.

  4. In the DNS name field, enter a name for the zone using a domain name that you own, for example, backupdr.cloud.google.com.

  5. Optional: Add a description.

  6. Under Options, select Default (private).

  7. Click Create.

  8. In the Zone details page, click Add Standard.

  9. In the Create record set page, use the following steps to add a record set for CNAME Record:

    1. In the DNS Name field, enter *.backupdr.cloud.google.com.
    2. For the Resource record type, select CNAME.
    3. In the Canonical name field, enter backupdr.cloud.google.com.
    4. Click Create.
  10. In the Zone details page, click Add Standard and use the following steps to add a record set with IP addresses:

    1. In the DNS Name field, enter *.backupdr.cloud.google.com.
    2. Select A as the Resource record type.
    3. In the IPv4 addresses field, enter 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.
    4. Click Create.

For more information, see Set up private connectivity to Google APIs and services.

Troubleshoot

VPC Service Controls for Backup and DR Service is supported by version 11.0.5 and later. You can check the version from the management console's Help > About.

If you encounter any issues while configuring VPC Service Controls for Backup and DR Service, then refer to VPC Service Controls troubleshooting section.

Limitations

If you have removed the internet default route from the service producer project using gcloud command: gcloud services vpc-peerings enable-vpc-service-controls, then you may not be able to access or create the management console. Contact Google Cloud Customer Care if you run into this issue.

Before you mount a Compute Engine backup image, add the service and host projects to the same perimeter. Otherwise, you may not see the available networks.