Deploy resources in a service perimeter

To guard against data exfiltration, create a service perimeter around your App Design Center resources. The perimeter protects App Design Center resources in your management project, including application templates and applications. You create a service perimeter using VPC Service Controls with Cloud Build private pools .

To configure your service perimeter, do the following:

1. Complete the steps in Use VPC Service Controls , including the following:

   1. Create the worker pool in a project in the perimeter.

   2. The Cloud Build job needs to access the public internet to download Terraform modules and providers. To create network rules to allow access, see Enable public internet calls on the VPC network .

   3. In the service perimeter, add management projects where you set up App Design Center.

2. Grant the WorkerPool User ( roles/cloudbuild.workerPoolUser ) role to your deployment service account.

   For steps, see IAM permissions .

3. If you use a restricted VIP to restrict access to VPC Service Controls enabled service, configure DNS to resolve *.googleapis.com to the restricted VIP.

   For steps, see DNS configuration .

4. If you have existing application deployments, redeploy your applications to integrate them with your VPC Service Controls perimeter:

   1. Preview and deploy your applications using the --worker-pool flag.

   2. Specify the worker pool in the following format: projects/{project}/locations/{location}/workerPools/{workerPoolId} .

What's next

To preview and deploy applications, specify your worker pool in the following commands:

• gcloud design-center spaces applications preview

• gcloud design-center spaces applications deploy