GCP - VPC vs VPC-SC

TL;DR

• VPC: network layer, subnets, IPs, routing; for GCE, GKE, etc.
• VPC SC: service layer, service perimeters, access policies; for data exfiltration prevention (data cannot be moved out of the perimeter); for GCP services like GCS, BigQuery, etc.

VPC

Virtual Private Cloud (VPC) forms the fundamental networking layer in Google Cloud. It provides a private, isolated cloud network for your resources, such as Compute Engine virtual machines, Google Kubernetes Engine clusters, and other services. Think of a VPC as your own customizable data center network within Google Cloud.

VPC-SC

VPC Service Controls extends the notion of a VPC to include multi-tenant GCP services.

VPC Service Controls, on the other hand, is a security layer that provides an additional layer of defense against data exfiltration from Google Cloud managed services like Cloud Storage, BigQuery, and Bigtable. It operates at the service layer, independent of VPC network configurations. VPC Service Controls helps you create security perimeters around your sensitive data and resources, mitigating risks associated with stolen credentials, insider threats, and misconfigured IAM policies.

A zero trust security model operates on the principle of "never trust, always verify." It assumes that no user, device, or application, whether inside or outside the network, should be trusted by default. This philosophy is the core of VPC-SC, which applies the same "no trust" logic to Google Cloud services.

Think of VPC-SC as a logical firewall that restricts access to and from a set of protected Google Cloud services, regardless of the network a request originates from. It ensures that even if an attacker gains access to a user's credentials, they can't use them to move data outside your defined perimeter.

Tenant projects under VPC-SC

Since all tenant projects are in the same perimeter as the customer-owned project they also would share the same VPCSC perimeter with each other.

Data exfiltration

Data exfiltration risks refer to the dangers associated with the unauthorized transfer of sensitive data from a computer or network, potentially leading to data breaches, financial losses, and reputational damage.

Data Exfiltration Prevention: It prevents data from leaving the defined perimeter to unauthorized networks or projects, even if IAM policies would otherwise allow it.

The Cloud Native equivalent of VPC-SC

• Service Meshes (e.g., Istio, Linkerd)
• Kubernetes Network Policies
• OPA (Open Policy Agent) Gatekeeper: This project allows you to enforce custom policies on your Kubernetes resources. You can use it to create and enforce policies that validate configurations, ensuring that your cluster is always in a secure, compliant state.

Note on Service Accounts

Service accounts owned by a GCP project are considered to be within any "service perimeter" that the project belongs to.