Best practices for VPC Service Controls
Now that you understand the higher-level details of VPC Service Controls perimeters, let us go over some best practices:
- A single large perimeter is the simplest to implement and reduces the total number of moving parts requiring additional operational overhead, which helps to prevent complexity in your allowlist process.
- When data sharing is a primary use case for your organization, you can use more than one perimeter. If you produce and share lower-tier data such as de-identified patient health data, you can use a separate perimeter to facilitate sharing with outside entities.
- When possible, enable all protected services when you create a perimeter, which helps to reduce complexity and reduces potential exfiltration vectors. Make sure that there isn’t a path to the private VIP from any of the VPCs in the perimeter. If you allow a network route to
private.googleapis.com, you reduce the VPC Service Controls protection from...
