You are troubleshooting access denied errors between Compute Engine instances connected to a Shared VPC and BigQuery datasets. The datasets reside in a project protected by a VPC Service Controls perimeter. What should you do?
A.
Add the host project containing the Shared VPC to the service perimeter.
B.
Add the service project where the Compute Engine instances reside to the service perimeter.
C.
Create a service perimeter between the service project where the Compute Engine instances reside and the host project that contains the Shared VPC.
D.
Create a perimeter bridge between the service project where the Compute Engine instances reside and the perimeter that contains the protected BigQuery datasets.
(A)
For VMs inside shared VPC, the host project needs to be added to the perimeter as well. I had real-life experience with this. However, this creates new security issues as all other VMs in other projects which are attached to shared subnets in the same host project then are also able to access the perimeter. Google recommends setting up Private Service Connect Endpoints to achieve subnet segregation for VPC-SC usage with Host projects.
Why D. Create a perimeter bridge is Correct:
Problem Analysis:
The BigQuery datasets reside within a service perimeter.
The Compute Engine instances are in a service project connected to a Shared VPC, and they are outside the BigQuery perimeter.
Access is being denied because the Compute Engine instances are not within the same service perimeter as the BigQuery datasets.
Solution:
A perimeter bridge allows resources in the service project (where Compute Engine instances reside) to securely communicate with resources in the service perimeter (where the BigQuery datasets reside).
This ensures compliance with VPC Service Controls while allowing the required access.
VPC Service Controls are designed to protect Google Cloud resources (such as BigQuery) from unauthorized access by restricting access to those resources based on service perimeters.
• In this scenario, the Compute Engine instances are trying to access BigQuery datasets, which are within a VPC Service Controls perimeter.
• Compute Engine instances are in a service project, and to allow them to access resources (BigQuery) within the service perimeter, that service project must be added to the service perimeter.
Answer A:
Select the projects that you want to secure within the perimeter.
Click Projects.
In the Add Projects window, select the projects you want to add.
If you are using Shared VPC, make sure to add the host project and service projects.
https://cloud.google.com/run/docs/securing/using-vpc-service-controls
B. Add the service project where the Compute Engine instances reside to the service perimeter.
Explanation:
The VPC Service Controls perimeter restricts data access to a set of resources within a VPC network. To allow Compute Engine instances in the service project to access BigQuery datasets in the protected project, the service project needs to be added to the service perimeter.
It's A and here's why. The questions establishes there's already VPC Service Control Perimeter and a shared VPC. Since the dataset resides in a project protected by a VPC SC perimeter, you wouldn't create a NEW service perimeter. Further, since we know per the question there's a SHARED VPC established & you're TROUBLESHOOTING, per the doc below, it makes sense that they're both not in the same VPC SC perimeter and why access is failing.
https://cloud.google.com/vpc-service-controls/docs/troubleshooting#shared_vpc
The questions isn't clear where the compute engine instance or dataset live in respect to the VPC SC perimeter. But it's clear, they are both NOT in the same VPC SC perimeter and the question states the BQ dataset is already protected. So B, C and D are wrong and only A ensure BOTH are in the same VPC SC perimeter regardless of which ones live in the host or service project.
As the scenario is for troubleshooting, I'll choose A as answer since it's more likely people would forget to include host project to the service perimeter
A is the answer.
https://cloud.google.com/vpc-service-controls/docs/service-perimeters#secure-google-managed-resources
If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC.
"If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC" => https://cloud.google.com/vpc-service-controls/docs/service-perimeters
"If you're using Shared VPC, you must include the host project in a service perimeter along with any projects that belong to the Shared VPC."
https://cloud.google.com/vpc-service-controls/docs/service-perimeters
B
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
risc
Highly Voted 2 years, 6 months agoBPzen
Most Recent 5 months agoSQLbox
7 months, 2 weeks agowinston9
1 year, 2 months agob6f53d8
1 year, 3 months agodesertlotus1211
1 year, 8 months agobruh_1
2 years agogcpengineer
1 year, 11 months agoRic350
2 years, 1 month agoLittleivy
2 years, 5 months agoAzureDP900
2 years, 5 months agosoltium
2 years, 6 months agoAwesomeGCP
2 years, 6 months agozellck
2 years, 7 months agoGHOST1985
2 years, 7 months agoChute5118
2 years, 9 months agoGHOST1985
2 years, 7 months agoAiffone
2 years, 9 months agomikesp
2 years, 11 months ago