Protect Backup for GKE resources using VPC Service Controls

This page describes how to use VPC Service Controls to protect Backup for GKE resources. For more information about VPC Service Controls, read the Overview of VPC Service Controls .

Before you begin

Ensure that you have the required IAM permissions to administer VPC Service Controls.

Create a service perimeter to protect Backup for GKE resources

  1. In the Google Cloud console, go to the VPC Service Controlspage.

    Go to VPC Service Controls

  2. If you are prompted, select your Organization.

  3. On the VPC Service Controlspage, click New Perimeter.

  4. On the New VPC Service Perimeterpage, in the Perimeter Namebox, type a name for the perimeter.

  5. Select the projects that you want to secure within the perimeter:

    1. Click Add Projectsbutton.

    2. To add a project to the perimeter, in the Add Projectsdialog, select that project's checkbox.

    3. Click Add n Projectsbutton, where n is the number of projects you selected in the previous step.

  6. Select Backup for GKE to secure within the perimeter:

    1. Click Add Servicesbutton.

    2. To secure Backup for GKE within the perimeter, in the Specify services to restrictdialog, select Backup for GKE's checkbox.

    3. Click Add Backup for GKE APIbutton.

  7. Click Savebutton.

You've created a service perimeter that restricts access to Backup for GKE resources. The service perimeter may take up to 30 minutes to propagate and take effect. When the changes have propagated, access to Backup for GKE will be limited for the projects you added to the perimeter. For example, no backup plan or backup can be created from outside of the perimeter, unless otherwise explicitly allowed by an ingress rule.

Details about how Backup for GKE works with service perimeters

  1. If Backup for GKE is not among the list of VPC accessible services of a service perimeter, backup and restore may fail even if you are able to create backup or restore using the Google Cloud console or gcloud CLI. This is because the Backup for GKE agent is running in your GKE cluster (within the service perimeter) and requires access to Backup for GKE to perform backup and restore.

  2. Backup for GKE doesn't support cross-project backup and restore, so creating an egress policy to allow access to Backup for GKE resources in another project has no effect. This is because, by definition, if a project is within a service perimeter, all of its GKE clusters are considered within the service perimeter.