This page gives an overview of VPC Service Controls and how you can integrate it with Backup and DR Service to secure your data and resources.
About VPC Service Controls
VPC Service Controls helps mitigate the risk of data exfiltration from the Backup and DR Service management console. You can use VPC Service Controls to create service perimeters that protect the resources and data of various services. If the Backup and DR Service is protected by a perimeter, resources from outside the perimeter cannot communicate with the management console. However, you can allow resources from outside the service perimeter to access the management console and API. For more information, see allow access to protected resources from outside a perimeter.
For a general overview of VPC Service Controls, its security benefits, and its capabilities across Google Cloud CLI products, see the Overview of VPC Service Controls.
Before you begin
Before you begin to configure VPC Service Controls for Backup and DR Service, do the following:
- In the Google Cloud console, on the Project Selector page, select create a Google Cloud CLI project.
- Make sure that billing is enabled for your Google Cloud project. Learn how to check if billing is enabled on a project.
- Follow the instructions in the Enable APIs section and enable the Access Context Manager API for your project.
Configure access levels and direction policies for backup vault
If the backup/recovery appliance and backup vault are in the same VPC Service Controls perimeter, you don't need to configure access levels and direction policies. Otherwise choose from one of the following configuration scenarios based on your security perimeter configuration requirements.
- If the backup/recovery appliance and backup vault are in perimeters but they exist in different perimeters:
- Configure ingress exceptions in the perimeter where backup vault resources exist.
Add both
backupdr.googleapis.com
andstorage.googleapis.com
in the ingress rule. The source can be the IP address, or the network, or the project in which the backup/recovery appliance is present. - Configure egress exceptions in the perimeter where backup/recovery appliances exist.
Add both
backupdr.googleapis.com
andstorage.googleapis.com
to the egress rule. The target is the project where the backup vault resource exists. You can combine that with the IP address of the backup/recovery appliance, or any other property.
- Configure ingress exceptions in the perimeter where backup vault resources exist.
Add both
- If only backup vault resources are in perimeter:
Configure ingress exceptions in the perimeter where backup vault resources exist.
Add both
backupdr.googleapis.com
andstorage.googleapis.com
to the ingress rule. The source can be IP address, network, or project where the backup/recovery appliance is present. - If only backup/recovery appliance exists in perimeter:
Configure egress exceptions in the perimeter where backup/recovery appliances exist.
Add both
backupdr.googleapis.com
andstorage.googleapis.com
to the egress rule. The target is the project where the backup vault resource exists. You can combine that with the IP address of the backup/recovery appliance, or any other property.
Configure access levels and direction policies for Compute Engine
If the administrator project and workload project are in the same VPC Service Controls perimeter, you don't need to configure access levels and direction policies. Otherwise choose from one of the following configuration scenarios based on your security perimeter configuration requirements.
- If both the administrator project and workload project exist in different service perimeters:
- The administrator project needs to add an egress rule for the backup vault
service agent to the workload
project for both
backupdr.googleapis.com
andcompute.googleapis.com
. - The workload project needs to add an ingress rule to allow calls from the
backup vault service agent and an egress rule for the backup vault service agent to the administrator project for both
backupdr.googleapis.com
andcompute.googleapis.com
.
- The administrator project needs to add an egress rule for the backup vault
service agent to the workload
project for both
- If only the administrator project has a service perimeter:
The administrator project needs to add an egress rule for the backup vault service agent to the workload
project for both
backupdr.googleapis.com
andcompute.googleapis.com
. - If only the workload project has a service perimeter:
The workload project needs to add an ingress rule to allow calls from the backup vault service agent and an egress rule for the backup vault service agent to the administrator project for both
backupdr.googleapis.com
andcompute.googleapis.com
.
Configure VPC Service Controls for Backup and DR Service
Use the following steps to configure VPC Service Controls for Backup and DR Service:
The following sections describe these steps in detail.
Create a service perimeter
Use the following instructions to create a service perimeter:
- In the Google Cloud console, on the project selector page, select the Backup and DR Service project that you want the VPC service perimeter to protect.
- Create a service perimeter using the instructions described in Create a service perimeter.
Add the following APIs to the service perimeter in the Restricted Services section:
- Required: Backup and DR Service API -
backupdr.googleapis.com
- Optional: Compute Engine API -
compute.googleapis.com
- Optional: Resource Manager API -
cloudresourcemanager.googleapis.com
- Optional: Workflows API -
workflows.googleapis.com
- Optional: Cloud Key Management Service API -
cloudkms.googleapis.com
- Optional: Identity and Access Management API -
iam.googleapis.com
- Optional: Cloud Logging API -
logging.googleapis.com
- Optional: Cloud Storage API -
storage.googleapis.com
- Required: Backup and DR Service API -
If you're using a Shared VPC, add the host and service projects in the Add Resources section.
Once you set up a perimeter, by default, access to the Backup and DR Service management console and API is only allowed from within the security perimeter.
If a backup/recovery appliance makes cloud API requests to the outside of the service perimeter, for example, to recover a Compute Engine instance to a project or VPC network that is not in the same perimeter, you may see a VPC Service Controls access violation. To allow API requests, you must create appropriate ingress and egress rules in the VPC Service Controls service perimeter for the backup/recovery appliance service account.
Configure connectivity to Google APIs and services
In a VPC Service Controls configuration, to control network traffic, configure
access to Google APIs and services through the restricted.googleapis.com
domain. This domain blocks access to Google APIs and services that don't
support VPC Service Controls. For more information,
see domain options.
If you don't configure DNS rules for Google APIs and services, they are resolved using the domain option for default domains.
Backup and DR Service uses the following domains:
*.backupdr.cloud.google.com
is used to access the management console.*.googleapis.com
is used to access other Google services.
Configure connectivity to the following restricted.googleapis.com
endpoints
in the DNS record section.
Domain | DNS name | CNAME Record | A Record |
---|---|---|---|
*.googleapis.com
|
googleapis.com.
|
DNS Name: *.googleapis.com. Resource record type: CNAME Canonical name: googleapis.com.
|
Resource record type: A IPv4 addresses:
199.36.153.4,
|
*.backupdr.cloud.google.com
|
backupdr.cloud.google.com.
|
DNS Name: *.backupdr.cloud.google.com. Resource record type: CNAME Canonical name: backupdr.cloud.google.com.
|
Resource record type: A IPv4 addresses:
|
*.backupdr.googleusercontent.com
|
backupdr.googleusercontent.com
|
DNS Name: *.backupdr.googleusercontent.com. Resource record type: CNAME Canonical name: backupdr.googleusercontent.com.
|
Resource record type: A IPv4 addresses:
|
Create a DNS record
Use the following instructions to create a DNS record:
In the Google Cloud console, go to the Create a DNS zone page.
For the Zone type, select Private.
In the Zone name field, enter a name. For example,
backup-dr-new-zone
.In the DNS name field, enter a name for the zone using a domain name that you own, for example,
backupdr.cloud.google.com
.Optional: Add a description.
Under Options, select Default (private).
Click Create.
In the Zone details page, click Add Standard.
In the Create record set page, use the following steps to add a record set for CNAME Record:
- In the DNS Name field, enter
*.backupdr.cloud.google.com
. - For the Resource record type, select CNAME.
- In the Canonical name field, enter
backupdr.cloud.google.com
. - Click Create.
- In the DNS Name field, enter
In the Zone details page, click Add Standard and use the following steps to add a record set with IP addresses:
- In the DNS Name field, enter
*.backupdr.cloud.google.com
. - Select A as the Resource record type.
- In the IPv4 addresses field, enter 199.36.153.4, 199.36.153.5, 199.36.153.6, 199.36.153.7.
- Click Create.
- In the DNS Name field, enter
For more information, see Set up private connectivity to Google APIs and services.
Troubleshoot
VPC Service Controls for Backup and DR Service is supported by version 11.0.5 and later. You can check the version from the management console's Help > About.
If you encounter any issues while configuring VPC Service Controls for Backup and DR Service, then refer to VPC Service Controls troubleshooting section.
Limitations
If you have removed the internet default route from the service producer project using gcloud
command: gcloud services vpc-peerings enable-vpc-service-controls
,
then you may not be able to access or create the management console. Contact Google Cloud Customer Care if you run into this issue.
Before you mount a Compute Engine backup image, add the service and host projects to the same perimeter. Otherwise, you may not see the available networks.