Enhance security with VPC Service Controls

Google Cloud Search supports VPC Service Controls to enhance the security of your data. VPC Service Controls allows you to define a service perimeter around Google Cloud Platform resources to constrain data and help mitigate data exfiltration risks.

Prerequisites

Before you begin, install the gcloud command-line interface.

Enable VPC Service Controls

To enable VPC Service Controls:

  1. Obtain the project IDs and project numbers for the Google Cloud Platform project you want to use. To obtain the project IDs and numbers, refer to Identifying projects.

  2. Use gcloud to create an access policy for your Google Cloud Platform organization:

    1. Get your organization ID.
    2. Create an access policy.
    3. Get the name of your access policy.
  3. Create a service perimeter with Cloud Search as a restricted service by running the following gcloud command:

    gcloud access-context-manager perimeters create NAME \
        --title=TITLE \
        --resources=PROJECTS \
        --restricted-services=RESTRICTED-SERVICES \
        --policy=POLICY_NAME
    

    Where:

    • NAME is the name of the perimeter.
    • TITLE is the human-readable title of the perimeter.
    • PROJECTS is a comma-separated list of one or more project numbers, each preceded by the string projects/. Use the project numbers obtained in step 1. For example, if you had two projects, project 12345 and 67890, your setting would be --resource=projects/12345, project/67890 .This flag only supports project numbers; it doesn’t support names or IDs.
    • RESTRICTED-SERVICES is a comma-separated list of one or more services. Use cloudsearch.googleapis.com.
    • POLICY_NAME is the numeric name of your organization's access policy obtained in step 2c.

    For further information on how to create a service perimeter, refer to Creating a service perimeter.

  4. (optional) If you want to apply IP or region-based restrictions, create access levels and add them to the service perimeter created in step 3:

    1. To create an access level, refer to Creating an basic access level. For an example on how to create an access level condition that only allows access from a specific range of IP addresses, such as those within a corporate network, refer to Limit access on a corporate network.
    2. After you have created an access level, add it to the service perimeter. For instructions on adding an access level to a service parameter, refer to Adding an access level to an existing parameter. This change can take up to 30 minutes for this change to propagate and take effect.
  5. Use the Cloud Search Customer Service REST API to update the customer settings with your VPC Service Controls perimeter-protected project:

  1. Obtain an OAuth 2.0 access token from the Google Authorization Server. For information on obtaining the token, refer to step 2 of Using OAuth 2.0 to Access Google APIs. When obtaining the access token, use one of the following OAuth scopes: https://www.googleapis.com/auth/cloud_search.settings.indexing, https://www.googleapis.com/auth/cloud_search.settings, or https://www.googleapis.com/auth/cloud_search

  2. Run the following curl command to set the project in VPC Service Controls settings under Customer settings in Google Cloud Search:

    curl --request PATCH \
      'https://cloudsearch.googleapis.com/v1/settings/customer' \
      --header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
      --header 'Accept: application/json' \
      --header 'Content-Type: application/json' \
      --data '{ "vpc_settings": { "project": "projects/PROJECT_ID" } }' \
      --compressed
    

    Where:

  • YOUR_ACCESS_TOKEN is OAuth 2.0 access token obtained in step 5a.
  • PROJECT_ID is the project ID obtained in step 1.

    If successful, you should receive a 200 OK response accompanied by the updated customer settings.

After the above steps are completed successfully, the VPC Service Controls restrictions, as defined in the service perimeter, are applied to all Google Cloud Search APIs, searches at cloudsearch.google.com, and viewing and changing configuration or reports using the Admin console. Further requests to the Cloud Search REST API that don’t follow access levels receive a PERMISSION_DENIED “Request is prohibited by organization’s policy” error.