VPC Service Controls

Data exfiltration prevention — Service Perimeters across Azure · AWS · GCP

Concept

VPC Service Controls create a perimeter around cloud resources to prevent data exfiltration — even if IAM allows access, data cannot leave the perimeter. This is primarily a GCP concept, but has equivalents in Azure and AWS.

Primary Mechanism
Private Endpoints + NSG
VPC Endpoint Policies
VPC Service Controls
Scope
Subnet / VNet level
VPC Endpoint level
Organization / Folder / Project
Inbound Rules
Network Security Groups
VPC Endpoint Policy (Allow/Deny)
Ingress Rules (on-prem / trusted IPs / identities)
Outbound Rules
Azure Firewall / NSG
VPC Endpoint Policy
Egress Rules (allow only specific projects / networks)
Cross-Project Access
VNet Peering
VPC Peering
Service Perimeter Bridges

Create a Service Perimeter

○ Azure — Azure Equivalent

Private Endpoints: Deploy resources into a VNet, expose via Private Link. Control access with NSG rules.

CLI:
az network private-endpoint create --name myPE --vnet-name myVNet --subnet mySubnet --private-connection-resource-id /subscriptions/.../storageAccounts/...

○ AWS — AWS Equivalent

VPC Endpoint Policies: Attach IAM policies to VPC endpoints to control which principals/actions can access the service.

CLI:
aws ec2 create-vpc-endpoint --vpc-id vpc-xxx --service-name com.amazonaws.region.s3 --policy-document file://policy.json

○ GCP — GCP (native)

VPC Service Controls: Define a perimeter at org/folder/project level. Add services to protect (GCS, BigQuery, etc.). Configure ingress/egress rules.

CLI:
gcloud access-context-manager perimeters create prod-perimeter --title="Prod Perimeter" --perimeter-type=regular --resources=projects/PROJECT_NUMBER --restricted-services=storage.googleapis.com,bigquery.googleapis.com

Ingress Rule — Allow On-Prem

○ Azure — VPN + Private Endpoint

On-prem connects via VPN/ExpressRoute to VNet. Private Endpoint ensures traffic stays on Azure backbone.

○ AWS — VPC Endpoint + Direct Connect

On-prem connects via Direct Connect/VPN to VPC. VPC Endpoint connects to S3/DynamoDB without internet.

○ GCP — VPC-SC Ingress Rule

ingress_policies:
  - ingress_from:
      sources:
        - access_level: "onprem-access-level"
    ingress_to:
      operations:
        - service_name: "storage.googleapis.com"

VPC-SC Dry Run Mode

GCP allows running VPC-SC in dry run mode — logs all violations without blocking. This is critical for rollout — audit first, then enforce. Azure/AWS equivalents: use Flow Logs (AWS) / NSG diagnostic logs (Azure) to observe before enforcing.