This page shows you how to protect your Google Cloud NetApp Volumes volumes with a service perimeter using VPC Service Controls.
VPC Service Controls improve the security of Google Cloud services by creating a service perimeter that prevents unauthorized data access. This perimeter protects against accidental or intentional data exfiltration attempts from external or internal entities. To grant access, you need to add entities to your perimeter. For more information about VPC Service Controls, see VPC Service Controls overview.
VPC Service Controls protect access to the NetApp Volumes API, which is used for administrative management of NetApp Volumes resources. You can't access a volume's content with this API.
Data access to the content of a volume is granted using the NFS, SMB, or iSCSI protocol. The security of data access is protected through volume and file access controls specific to these protocols which are independent of VPC Service Controls. To connect to a volume, an NFS, SMB, or iSCSI client needs to be connected to the same network as the volume. For more information, see the following sections:
Secure your volumes using VPC Service Controls
Add the NetApp Volumes API to your service perimeter. For instructions about adding a service to your service perimeter, see Update a service perimeter.
VPC Service Controls limitations
Some features of NetApp Volumes require access to Google resources within your perimeter. The following features are known to cause issues when you enable VPC Service Controls.
Customer-managed encryption keys (CMEK): NetApp Volumes needs access to the KMS key you specified for CMEK. For more information, see Verify key access.
Volume replication across projects (allow-listed General Availability (GA) feature): for Flex Unified, Standard, Premium, and Extreme service levels, replication between projects in different perimeters requires VPC Service Controls egress and ingress rules in both projects to allow NetApp API flows. For more information, see Considerations for volume replication.
For more information about products and services that are supported by VPC Service Controls, see Supported products and limitations.
VPC Service Controls rules for cross-project volume replication
To enable cross-project volume replication, you must add both an egress and an ingress rule to the VPC Service Controls perimeter for both the source and destination projects.
Egress rule
Add the following egress rule to the source and destination projects of the cross-project volume replication.
Before you apply the rule, you must replace SOURCE_PROJECT and DESTINATION_PROJECT with your project IDs. For the identities field, add the Google IDs of the NetApp Volumes administrators who manage the replication.
{
"egressFrom": {
"identities": [
"your_google_id@your_domain.com"
],
"sources": [
{
"resource": "projects/SOURCE_PROJECT"
},
{
"resource": "projects/DESTINATION_PROJECT"
}
]
},
"egressTo": {
"operations": [
{
"methodSelectors": [
{
"method": "*"
}
],
"serviceName": "netapp.googleapis.com"
}
],
"resources": [
"projects/SOURCE_PROJECT",
"projects/DESTINATION_PROJECT"
]
},
"title": "NetApp Volumes cross-project volume replication"
}
Ingress rule
Add the following ingress rule to the source and destination projects of the cross-project volume replication.
Before you apply the rule, you must replace SOURCE_PROJECT and DESTINATION_PROJECT with your project IDs. For the identities field, add the Google IDs of the NetApp Volumes administrators who manage the replication.
{
"ingressFrom": {
"identities": [
"your_google_id@your_domain.com"
],
"sources": [
{
"resource": "projects/SOURCE_PROJECT"
},
{
"resource": "projects/DESTINATION_PROJECT"
}
]
},
"ingressTo": {
"operations": [
{
"methodSelectors": [
{
"method": "*"
}
],
"serviceName": "netapp.googleapis.com"
}
],
"resources": [
"projects/SOURCE_PROJECT",
"projects/DESTINATION_PROJECT"
]
},
"title": "NetApp Volumes cross-project volume replication"
}
What's next
Configure access to Google Cloud NetApp Volumes.