Enhance security with VPC Service Controls

AI-generated Key Takeaways

outlined_flag

• Ads Data Hub can be integrated with VPC Service Controls to enhance data security by defining a service perimeter, though this feature is currently in preview.

• Before enabling VPC Service Controls, ensure an admin project is designated, the service account is updated, and Ads Data Hub support is contacted for account configuration.

• To enable, select an existing service perimeter, add relevant projects (including the admin project and data input/output projects), and add Ads Data Hub and BigQuery as restricted services within the perimeter.

• Certain Ads Data Hub features will bypass VPC Service Controls policies to maintain functionality, and dependent services like BigQuery must be included in the same perimeter for proper operation.

• For customers with dual-tier Ads Data Hub account structures, all admin projects should ideally be within the same perimeter or Google Cloud organization for streamlined management.

VPC Service Controls enhance the security of your data by allowing you to define a service perimeter around Google Cloud resources. This service perimeter constrains the movement of data across the perimeter boundary, which mitigates data exfiltration risks.

Learn more about VPC Service Controls

Prerequisites

This article assumes that you previously:

• Designated an admin project in your Ads Data Hub account.
• Updated your service account to an email address containing gcp-sa-adsdatahub.iam.gserviceaccount.com. If you haven't done this, or are unsure whether you need to, contact Ads Data Hub support.
• Contacted Ads Data Hub support to configure your account for VPC Service Controls.

Enable VPC Service Controls

If you haven't previously set up VPC Service Controls, refer to the VPC Service Controls quickstart. The quickstart will guide you through the initial setup of VPC Service Controls. Once you have completed the quickstart, follow the instructions below.

Ads Data Hub-specific setup

1. Navigate to the VPC Service Controls console and select an existing service perimeter.
2. Add the projects that you want to secure within the perimeter. You must include the admin project and any projects you use for input or output data in Ads Data Hub.
3. Add Ads Data Hub and BigQuery as restricted services within the perimeter.
   1. VPC Service Controls recommends restricting all services in the perimeter.

Limitations

Certain Ads Data Hub features (such as custom audience activation, user-provided data matching, and LiveRamp match tables) require certain user data to be exported outside of the VPC Service Controls perimeter. If Ads Data Hub is added as a restricted service, it will bypass VPC Service Controls policies for these features in order to retain their capabilities.

All dependent services must be included as allowed services in the same VPC Service Controls perimeter. For example, since Ads Data Hub relies on BigQuery, BigQuery must also be added. In general, VPC Service Controls best practices recommend including all services in the perimeter, i.e. "restricting all services".

Customers with dual-tier Ads Data Hub account structures, such as agencies with subsidiaries, should have all of their admin projects in the same perimeter. For simplicity, Ads Data Hub recommends that customers with dual-tier account structures restrict their admin projects to the same Google Cloud organization.