1

I am exploring network security on GCP, Can anybody please explain how to create a GCS bucket under VPC or how to configure a VPC on GCS bucket?

Soni Sol
  • 2,367
  • 3
  • 12
  • 23
Vikash Pareek
  • 1,063
  • 14
  • 30
  • I think you are looking for `VPC Service Controls`. https://cloud.google.com/vpc-service-controls `Users can define a security perimeter around Google Cloud resources such as Cloud Storage buckets` More technical details start here: https://cloud.google.com/vpc-service-controls/docs/overview – John Hanley Jan 06 '21 at 21:48

1 Answers1

3

GCS buckets are not something you can assign to a specific GCP VPC, they are either available via API (storage.googleapis.com) or by using the GCP web ui interface.

If you need to access them from a GCP VM you would need to use the right permissions (service account or gcloud auth) along with the gsutil utility.

Security for GCS is mostly just account (service account or GCP account) permissions and / or group permissions to your bucket / bucket files, for example, if you allow read permissions to "AllUsers" group, then everyone will have the ability to read and / or download that file at your expense as long as they have the specific GCS link.

Also, there's GCP Cloud Filestore if NFS over your VPC fit your needs.

Frank
  • 525
  • 2
  • 8
  • IAM is used for authentication and authorisation, that is fine. But I am hoping GCS bucket should also have something with network security to control the network traffic, just like MS Azure on storage account. – Vikash Pareek Nov 17 '20 at 17:42
  • This answer is the right one, Google says "Don't trust the network", because it's not safe, especially in the cloud and mutualized environment. However, I can extend the answer by talking about [private access](https://cloud.google.com/vpc/docs/private-access-options#private-vips): instead of calling storage.googleapis.com, you can call storage.private.googleapis.com to be sure that the request stay in the Google network (even if the first one will also stay inside, to be sure you can do this) – guillaume blaquiere Nov 17 '20 at 21:11