Data exfiltration prevention — Service Perimeters across Azure · AWS · GCP
VPC Service Controls create a perimeter around cloud resources to prevent data exfiltration — even if IAM allows access, data cannot leave the perimeter. This is primarily a GCP concept, but has equivalents in Azure and AWS.
Private Endpoints: Deploy resources into a VNet, expose via Private Link. Control access with NSG rules.
CLI:az network private-endpoint create --name myPE --vnet-name myVNet --subnet mySubnet --private-connection-resource-id /subscriptions/.../storageAccounts/...
VPC Endpoint Policies: Attach IAM policies to VPC endpoints to control which principals/actions can access the service.
CLI:aws ec2 create-vpc-endpoint --vpc-id vpc-xxx --service-name com.amazonaws.region.s3 --policy-document file://policy.json
VPC Service Controls: Define a perimeter at org/folder/project level. Add services to protect (GCS, BigQuery, etc.). Configure ingress/egress rules.
CLI:gcloud access-context-manager perimeters create prod-perimeter --title="Prod Perimeter" --perimeter-type=regular --resources=projects/PROJECT_NUMBER --restricted-services=storage.googleapis.com,bigquery.googleapis.com
On-prem connects via VPN/ExpressRoute to VNet. Private Endpoint ensures traffic stays on Azure backbone.
On-prem connects via Direct Connect/VPN to VPC. VPC Endpoint connects to S3/DynamoDB without internet.
ingress_policies:
- ingress_from:
sources:
- access_level: "onprem-access-level"
ingress_to:
operations:
- service_name: "storage.googleapis.com"GCP allows running VPC-SC in dry run mode — logs all violations without blocking. This is critical for rollout — audit first, then enforce. Azure/AWS equivalents: use Flow Logs (AWS) / NSG diagnostic logs (Azure) to observe before enforcing.