Planning for VPC Service Controls in Google Cloud
When choosing to lock down your Google Cloud environment with VPC Service Controls, you should understand how BlueXP and Cloud Volumes ONTAP interact with the Google Cloud APIs, as well as how to configure your service perimeter to deploy BlueXP and Cloud Volumes ONTAP.
VPC Service Controls enable you to control access to Google-managed services outside of a trusted perimeter, to block data access from untrusted locations, and to mitigate unauthorized data transfer risks. Learn more about Google Cloud VPC Service Controls.
How NetApp services communicate with VPC Service Controls
BlueXP communicates directly with the Google Cloud APIs. This is either triggered from an external IP address outside of Google Cloud (for example, from api.services.cloud.netapp.com), or within Google Cloud from an internal address assigned to the BlueXP Connector.
Depending on the deployment style of the Connector, certain exceptions may have to be made for your service perimeter.
Images
Both Cloud Volumes ONTAP and BlueXP use images from a project within GCP that is managed by NetApp. This can affect the deployment of the BlueXP Connector and Cloud Volumes ONTAP, if your organization has a policy that blocks the use of images that are not hosted within the organization.
You can deploy a Connector manually using the manual installation method, but Cloud Volumes ONTAP will also need to pull images from the NetApp project. You must provide an allowed list in order to deploy a Connector and Cloud Volumes ONTAP.
Deploying a Connector
The user who deploys a Connector needs to be able to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516.
Deploying Cloud Volumes ONTAP
-
The BlueXP service account needs to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516 from the service project.
-
The service account for the default Google APIs Service Agent needs to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516 from the service project.
Examples of the rules needed for pulling these images with VPC Service Controls are defined below.
VPC Service Controls perimeter policies
Policies allow exceptions to the VPC Service Controls rule sets. For more information about policies, please visit the GCP VPC Service Controls Policy Documentation.
To set the policies that BlueXP requires, navigate to your VPC Service Controls Perimeter within your organization and add the following policies. The fields should match the options given in the VPC Service Controls policy page. Also note that all rules are required and the OR parameters should be used in the rule set.
Ingress rules
From: Identities: [User Email Address] Source > All sources allowed To: Projects = [Service Project] Services = Service name: iam.googleapis.com Service methods: All actions Service name: compute.googleapis.com Service methods:All actions
OR
From: Identities: [User Email Address] Source > All sources allowed To: Projects = [Host Project] Services = Service name: compute.googleapis.com Service methods: All actions
OR
From: Identities: [Service Project Number]@cloudservices.gserviceaccount.com Source > All sources allowed To: Projects = [Service Project] [Host Project] Services = Service name: compute.googleapis.com Service methods: All actions
Egress rules
From: Identities: [Service Project Number]@cloudservices.gserviceaccount.com To: Projects = 14190056516 Service = Service name: compute.googleapis.com Service methods: All actions
The project number outlined above is the project netapp-cloudmanager used by NetApp to store images for the Connector and for Cloud Volumes ONTAP. |