Planning for VPC Service Controls in GCP

Contributors felix-melligan netapp-bcammett Download PDF of this page

When choosing to lock down your Google Cloud environment with VPC Service Controls, you should understand how Cloud Manager and Cloud Volumes ONTAP interact with the Google Cloud APIs, as well as how to configure your service perimeter to deploy Cloud Manager and Cloud Volumes ONTAP.

VPC Service Controls enable you to control access to Google-managed services outside of a trusted perimeter, to block data access from untrusted locations, and to mitigate unauthorized data transfer risks. Learn more about Google Cloud VPC Service Controls.

How NetApp services communicate with VPC Service Controls

NetApp services such as Cloud Central and Cloud Manager communicate directly with the Google Cloud APIs. This is either triggered from an external IP address outside of Google Cloud (for example, from api.services.cloud.netapp.com), or within Google Cloud from an internal address assigned to the Cloud Manager Connector.

Depending on the deployment style of the Connector, certain exceptions may have to be made for your service perimeter.

Images

Both Cloud Volumes ONTAP and Cloud Manager use images from a project within GCP that is managed by NetApp. This can affect the deployment of the Cloud Manager Connector and Cloud Volumes ONTAP, if your organization has a policy that blocks the use of images that are not hosted within the organization.

You can deploy a Connector manually using the manual installation method, but Cloud Volumes ONTAP will also need to pull images from the NetApp project. You must provide an allowed list in order to deploy a Connector and Cloud Volumes ONTAP.

Deploying a Connector

The user who deploys a Connector needs to be able to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516.

Deploying Cloud Volumes ONTAP

  • The Cloud Manager service account needs to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516 from the service project.

  • The service account for the default Google APIs Service Agent needs to reference an image hosted in the projectId netapp-cloudmanager and the project number 14190056516 from the service project.

Examples of the rules needed for pulling these images with VPC Service Controls are defined below.

VPC Service Controls perimeter policies

Policies allow exceptions to the VPC Service Controls rule sets. For more information about policies, please visit the GCP VPC Service Controls Policy Documentation.

To set the policies that Cloud Manager requires, navigate to your VPC Service Controls Perimeter within your organization and add the following policies. The fields should match the options given in the VPC Service Controls policy page. Also note that all rules are required and the OR parameters should be used in the rule set.

Ingress rules

Rule 1
From:
	Identities:
		[User Email Address]
	Source > All sources allowed
To:
	Projects =
		[Service Project]
	Services =
		Service name: iam.googleapis.com
		  Service methods: All actions
		Service name: compute.googleapis.com
		  Service methods:All actions

OR

Rule 2
From:
	Identities:
		[User Email Address]
	Source > All sources allowed
To:
	Projects =
		[Host Project]
	Services =
		Service name: compute.googleapis.com
		  Service methods: All actions

OR

Rule 3
From:
	Identities:
		[Service Project Number]@cloudservices.gserviceaccount.com
	Source > All sources allowed
To:
	Projects =
		[Service Project]
		[Host Project]
	Services =
		Service name: compute.googleapis.com
		Service methods: All actions

Egress rules

Rule 1:
From:
	Identities:
		[Service Project Number]@cloudservices.gserviceaccount.com
To:
	Projects =
		14190056516
	Service =
		Service name: compute.googleapis.com
		Service methods: All actions
Tip The project number outlined above is the project netapp-cloudmanager used by NetApp to store images for the Connector and for Cloud Volumes ONTAP.