Is it possible with Workspace and GCP to restrict geographical where a user can access projects and resources from?
For example, all users in the Workspace should only be able to access GCP resources from Australia. User A decides to go on holiday to USA but will do some remote work. Their access should be blocked to select Workspace and GCP resources unless over ruled (ie. User A enabled access from USA).
This is something I've seen possible in Azure AD, does GCP/Workspace have a similar functionality?
Use Context-Aware Access to create granular access control policies for Google Workspace. Not all versions of Google Workspace enable this feature. This does not affect access to Google Cloud Platform.
If you are using Identity-Aware Proxy to control access to your resources in Google Cloud, then you can extend Identity-Aware Proxy with Context-Aware Proxy. However, this does not limit access to the Google Cloud GUI or other Google owned resources - only the ones you configure IAP authorization.
Setting up context-aware access with Identity-Aware Proxy
Context-Aware Access can also be integrated with VPC Service Control perimeter ingress rules to allow access based on network origin (IP and VPC).
Context-aware access with ingress rules
Summary:
Integrate Context-Aware Access with resources you create that support Identity-Aware Proxy.
Use VPC Service Controls to control access to Google Cloud resources that support VPCs (Cloud Storage, BigQuery, etc).
If your goal is to limit access to the Google Cloud Console GUI, I am not aware of one. Use Two-Step Verification to control user access from new locations.
Related
I would like to configure access control based on source IP address with Google Cloud Functions.
(Only allowed IPs can reach Google Could Functions.)
I suppose there is no way for Google Cloud Functions itself to limit client IPs.
So I have an idea to put some gateways in front of the Cloud Functions, such as Apigee, API Gateway and Cloud Endpoints.
I found that only Apigee has souce IP access control, but I wonder that Apigee is too rich for my simple workload.
https://cloud.google.com/apigee/docs/api-platform/reference/policies/access-control-policy?hl=ja
Is it possible to use API Gateway or Cloud Endpoints to configure source IP based access control?
I wanted to check if it's possible to restrict access to a Google Cloud bucket to a certain IP range and if yes how can we restrict the access. We are exposing our cloud bucket to a vendor and we want to restrict the bucket access only to the vendors IP range.
The best solution for this is VPC Service Controls. This allows you to define a service perimeter that includes your project's GCS service and add an access level to allow access from the IPs you want.
Is there a way that one can whitelist IPs that can access GCP console. We have GCP setup, but at the moment, one can login to the console from any IP via their gsuite account. How can we limit that to only when on the VPN?
The Google Cloud Console is a public global resource. AFAIK there is no method to limit access to a user connected via VPN. Access is granted via Google Accounts OAuth Tokens and limiting access to a VPN is not part of the authentication process.
Google APIs and Services that are supported by VPC Service Controls based on Supported products and limitations available here includes Pub/Sub, Cloud Monitoring and Cloud Logging.
However a related documentation available here about configuring Private Google Access for on-premises hosts available here has Pub/Sub, Monitoring and Logging listed under Reached using Private Google Access but not secured by VPC Service Controls.
I am confused reading this. Can Pub/Sub access (as well as Monitoring and Logging) be secured by VPC Service Controls or not?
Edit
Uploaded image of new VPC Service Control creation screen that allows PubSub to be selected as one of the services to be restricted.
After reviewing both documents, I can see that, as you commented, Pub/Sub is a Supported VPC SC product. However, the combination of these 3 products: Private Google Access + VPC SC + Pub/Sub will not work. Therefore you can secure these products (Pub/Sub, Monitoring and Logging) by using VPC Service Controls without using Private Google Access (service that allow on-premises hosts to reach the Google APIS without using public IPS)
I have a Google Storage bucket that I want to make accessible (anonymous, read-only) to a specific set of internet IP's (whitelist)
I can expose the bucket with a load balancer, but I have not been able to find a way to apply any firewall/IP rules to it.
A Cloud Armor policy can only be applied to backend services not backend buckets.
And the GCP firewall rules only apply to virtual instances.
There isn't any option to do this specific ask as of yet. GCS buckets are mainly controlled through ACLs. However, with Cloud Armor in Beta, this would be a perfect time for a feature request to include backend buckets as targets.