Console
    Contact Us Start free

    Sharing VPC Service Controls rules

    This document describes the ingress and egress rules that you need to let publishers and subscribers access data from projects that have VPC Service Controls perimeters. It assumes familiarity with VPC Service Controls perimeters , shared datasets , data exchanges , listings , and linked datasets .

    A Caller project is the network or client project that initiates the request, such as a SQL query or a Google Cloud CLI command.

    Create a data exchange

    In the following diagram, the projects that contain the data exchange and the shared dataset are in different service perimeters:

    VPC Service Controls rule when creating a data exchange.

    Figure 1.VPC Service Controls rules for creating a data exchange.

    In figure 1, the following components are labeled:

    • Calleris an Analytics Hub administrator.
    • Project Ris the caller project.
    • Project Ehosts the BigQuery sharing (formerly Analytics Hub) data exchange and listings.

    As an Analytics Hub administrator, when you create a data exchange in a different project than the caller project, then you must add the following ingress and egress rules:

    Project Rule
    Project R Egress rule for project E
    Project E (data exchange) Ingress rule for project R

    Create a listing

    In the following diagram, the projects that contain the data exchange and the shared dataset are in different service perimeters:

    VPC Service Controls rule when creating a listing.

    Figure 2.VPC Service Controls rules for creating a listing.

    In figure 2, the following components are labeled:

    • Calleris an Analytics Hub administrator or publisher.
    • Project Ris the caller project.
    • Project Ehosts the Sharing data exchange and listings.
    • Project Shosts the shared dataset.

    When you create a listing in a data exchange that is in a different project than the shared dataset, you must add the following ingress and egress rules to allow publishers to create a listing:

    Project Rule
    Project R

    Egress rule for project E

    Egress rule for project S
    Project E (data exchange)

    Egress rule for project S

    Ingress rule for project R
    Project S (shared dataset)

    Egress rule for project E

    Ingress rule for project R

    In the following diagram, the projects that contain the listing and the linked dataset for that listing are in different service perimeters:

    VPC Service Controls rule when subscribing to a listing.

    Figure 3.VPC Service Controls rules for subscribing to a listing.

    In figure 3, the following components are labeled:

    • Calleris an Analytics Hub subscriber.
    • Project Ris the caller project.
    • Project Ehosts the Sharing data exchange and listings.
    • Project Lhosts the linked dataset.

    As an Analytics Hub subscriber, when you subscribe to a listing in a data exchange that is in a different project than your project, then you must add the following ingress and egress rules:

    Project Rule
    Project R

    Egress rule for project E

    Egress rule for project L
    Project E (listing)

    Egress rule for project L

    Ingress rule for project R
    Project L (linked dataset)

    Egress rule for project E

    Ingress rule for project R

    Query tables in a linked dataset

    In the following diagram, the caller project and the project that contain the linked dataset are in different service perimeters:

    VPC Service Controls rule when querying a table in the linked dataset.

    Figure 4.VPC Service Controls rules for querying a linked dataset.

    In figure 4, the following components are labeled:

    • Calleris an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
    • Project Ris the caller project.
    • Project Lhosts the linked dataset.
    • Project Vhosts the shared dataset that contains the table.

    As an Analytics Hub subscriber, when you query a table in the linked dataset, you must add the following ingress and egress rules:

    Project Rule
    Project R Egress rule for project L
    Project L (linked dataset) Ingress rule for project R

    Query views in a linked dataset

    Scenario 1

    In the following diagram, the projects that contain the linked dataset and the base tables associated with the view are in different service perimeters. The view (Project S) and the base table associated with the view (Project V) are in different projects:

    view and base tables are in different projects.

    Figure 5.VPC Service Controls rules for querying a view in a linked dataset.

    In figure 5, the following components are labeled:

    • Calleris an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
    • Project Ris the caller project.
    • Project Lhosts the linked dataset.
    • Project Shosts the shared dataset.
    • Project Vhosts the dataset that contains the base tables associated with the view.

    As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

    Project Rule
    Project R

    Egress rule for project L

    Egress rule for project V
    Project L (linked dataset)

    Ingress rule for project R

    Egress rule for project V
    Project V

    Egress rule for project L

    Ingress rule for project R

    Scenario 2

    In the following diagram, the view (Project V) and the base table associated with the view (Project V) are in the same project:

    view and base tables are in the same project.

    Figure 6.VPC Service Controls rules for querying a view in a linked dataset.

    In figure 6, the following components are labeled:

    • Calleris an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
    • Project Ris the caller project.
    • Project Lhosts the linked dataset.
    • Project Vhosts both the view and the base tables associated with the view.

    As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

    Project Rule
    Project R

    Egress rule for project L
    Project L (linked dataset)

    Ingress rule for project R

    Query authorized views in a linked dataset

    In the following diagram, the authorized view and the base table associated with the authorized view (Project V) are in the same project:

    authorized view and base tables are in the same project.

    Figure 7.VPC Service Controls rules for querying a view in a linked dataset.

    In figure 7, the following components are labeled:

    • Calleris an Analytics Hub subscriber or any BigQuery job user of the linked dataset.
    • Project Ris the caller project.
    • Project Lhosts the linked dataset.
    • Project Vhosts both the authorized view and the base tables associated with the view.

    As an Analytics Hub subscriber, when you query a view in a linked dataset, you must add the following ingress and egress rules:

    Project Rule
    Project R

    Egress rule for project L
    Project L (linked dataset)

    Ingress rule for project R

    Limitations

    BigQuery sharing (formerly Analytics Hub) doesn't support method-based rules . To allow methods, you must allow all methods. For example:

       
ingressTo:  
operations:  
-  
methodSelectors:  
-  
method:  
 '*' 
  
serviceName:  
analyticshub.googleapis.com  
resources:  
-  
projects/ PROJECT_ID

    If BigQuery resources are also protected by service perimeters, then ingress and egress rules must be allowed for BigQuery service as well. This is not needed when creating a data exchange. Ingress and egress rules for BigQuery will be similar to BigQuery sharing. For example:

       
ingressTo:  
operations:  
-  
methodSelectors:  
-  
method:  
 '*' 
  
serviceName:  
bigquery.googleapis.com  
resources:  
-  
projects/ PROJECT_ID

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: