Status Update
No update yet.
Comments
dh...@google.com
dh...@google.com
Hello,
Thank you for reaching out to us with your request.
We have duly noted your feedback and will thoroughly validate it. While we cannot provide an estimated time of implementation or guarantee the fulfillment of the issue, please be assured that your input is highly valued. Your feedback enables us to enhance our products and services.
We appreciate your continued trust and support in improving our Google Cloud Platform products. In case you want to report a new issue, Please do not hesitate to create a new issue on the
Once again, we sincerely appreciate your valuable feedback. Thank you for your understanding and collaboration.
Thanks & Regards,
Ashalatha
Google Cloud Support
Description
The customer is looking to block access to projects in other organizations (external) and dynamically allow access to only all the projects in the customer's organization. Would like to allow once access to all the organization projects even if the new projects are created in the future. Preferred if this can be achieved only using an egress rule. Using the VPC SC in an hybrid environment with a shared VPC Architecture.
Business Impact: Data exfiltration risk.
How this might work:
Expecting to have a similar rule configuration as below.
Egress rule *
From:*
Identities: To:*
Projects = **All Organisation projects **(instead of All projects)*
Service =*
Service name: All Services*
Why alternative solution are not sufficient:
- Requests are coming from the premises network and they are going through a VPN to access “
- Currently, it is only possible to define all projects within the VPC-SC perimeter to allow egress access to any Google Cloud resource, but not organization-wide. When a new project is created, it must be added to the perimeter.
- Currently the shared VPC network does not support host and service projects belonging to different organizations.
- Also there is no way to dynamically add projects to the VPC SC perimeter.
- Try using the Private Service Connect (endpoint) to mitigate this risk, but it did not work as well.
- Also company policies limiting trying out some workarounds.