问题描述
我已经为GCP中的项目创建了VPC服务范围,并向其中添加了Google Cloud Storage.
I have created a VPC Service Perimeter for a project in GCP and added Google Cloud Storage to it.
GCP中是否有一种方法仅允许特定VPC中的VM或资源访问Google Cloud Storage API(通过gsutil或任何其他方式)?
Is there a way in GCP to allow access to Google Cloud Storage API (via gsutil or any other means) only to the VMs or resources in a particular VPC?
如果我有三个VPC( vpc-a , vpc-b 和 vpc-c ),我只希望 vpc-a 中的实例访问Cloud Storage存储桶和VPC服务周界以拒绝访问到 vpc-b 和 vpc-c 的资源.
If I have three VPCs (vpc-a, vpc-b and vpc-c), I want only the instances in vpc-a to access the Cloud Storage buckets and VPC Service Perimeter to deny access to resources from vpc-b and vpc-c.
我所有的实例都是私有的(没有公共IP地址),并认为VPC和VM在一个项目中(已添加到VPC Service Perimeter中).如何实现以上设置?
All my instances will be private (no public IP address) and consider the VPCs and VMs to be in one project (added in VPC Service Perimeter). How to achieve the above setup?
推荐答案
Access Context Manager,GCP服务控件或Google Cloud Storage不支持此功能.
This is not supported by Access Context Manager, GCP Service Controls or Google Cloud Storage.
VPC服务控件是基于项目的,而不是基于VPC的. VPC服务控制会占用项目资源.您将需要能够从访问此岛中删除某些资源(VPC).
VPC Service Controls are project based and are not VPC based. VPC Service Controls islands a project's resources. You would need the ability to remove certain resources (VPC) from accessing this island.
访问上下文管理器未为VPC子网或专用IP CIDR块定义条件.
Access Context Manager does not define a condition for VPC subnets or private IP CIDR blocks.
VPC服务控件不会阻止项目内部的资源.
VPC Service Controls does not block resources inside the project.
没有支持的方法来阻止一个VPC,而在两个VPC都位于同一项目中的情况下允许另一种.
There is no supported method to block one VPC and allow another where both VPCs are inside the same project.
这篇关于在VPC服务范围GCP中允许一个VPC拒绝其他VPC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!