This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

VPN Peering over Private Service Connect when connecting two different organizations in GCP

Posted on 11-27-2024 09:14 AM
Nikp
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

What are the best networking services/products for securely connecting two different organizations in GCP to enable bidirectional data transfer from bucket to bucket without exposing the data to the public internet?

I understand that VPC Peering and Private Service Connect are two possible solutions for this scenario. Could you provide insights on the advantages and limitations of each for this use case? How can each be configured to ensure secure data transfer between organizations while keeping the data off the public internet?

Solved Solved
0 2 874
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Nikp
Bronze 3
Bronze 3
In response to diannemcm
Reply posted on --/--/---- --:-- AM

Hello @diannemcm 

Thank you for the detailed explanation and for welcoming me to the Google Cloud Community!

I wanted to confirm my understanding: If I am using Google Storage Transfer Service (STS) to transfer data between two organizations' Cloud Storage buckets within GCP, VPC Peering or Private Service Connect (PSC) are not required. Since STS operates within Google's private network, data transfers between buckets would remain secure and not exposed to the public internet.

Additionally, I understand that I can use STS with VPC Service Controls (VPC-SC) for enhanced security to define secure perimeters and prevent data exfiltration. Could you kindly confirm if this is correct? I truly appreciate your insights and the resources you provided—they’ve been very helpful.

Thanks again for your support!

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @Nikp,

Welcome to Google Cloud Community!

Both VPC Peering and Private Service Connect can be effective solutions for secure connection between two different organizations in Google Cloud Platform (GCP) and enable bidirectional data transfer.

VPC Peering is a method of connecting two Virtual Private Clouds (VPCs) so that resources in both VPCs can communicate with each other using private IP addresses. Traffic between the two VPCs remains within Google's network and is not exposed to the public internet, ensuring security.

  • Note that you need to configure IAM policies to grant the appropriate permissions for each Cloud Storage bucket, after creating the peering connection between the two VPCs in each separate organization).
  • Enable Private Google Access on the VPC subnets to ensure that API requests to Google Cloud services, including Cloud Storage, are routed over Google’s private network.
  • Misconfigurations can still lead to data exposure. You'll need careful firewall rules on both sides to restrict access to only the necessary resources.
  • VPC peering is non-transitive, meaning if there are more than two VPCs, one cannot route traffic through a peered VPC to another VPC.

PSC allows the creation of private endpoints for services like Cloud Storage. This can enable secure data transfers between organizations over private IPs.

  • Unlike VPC peering, which relies on network-level security, PSC provides additional layers of service-level security, such as granular access policies on the service itself.
  • No IP Overlap Issues since PSC doesn’t have the same IP range restrictions as VPC Peering, so it's useful in situations where the VPCs might have overlapping IP ranges.
  • You'll need to configure DNS routing for the Cloud Storage service so that requests are directed to the private endpoints.
  • Set IAM policies to ensure that each organization has the appropriate permissions to access the Cloud Storage buckets.

You can use PSC if you want to use only private IPs to access your Cloud Run(and other google published services) or other third party services. You may check this list for reference.

Other references:

Set up and manage VPC Network Peering

About accessing published services through endpoints

Private Service Connect architecture and performance

Google Cloud Skills Boost

Integrate Private Service Connect with Service Directory

I hope the information above is helpful.

Jump to Solution

Posted on --/--/---- --:-- AM
Nikp
Bronze 3
Bronze 3
In response to diannemcm
Reply posted on --/--/---- --:-- AM

Hello @diannemcm 

Thank you for the detailed explanation and for welcoming me to the Google Cloud Community!

I wanted to confirm my understanding: If I am using Google Storage Transfer Service (STS) to transfer data between two organizations' Cloud Storage buckets within GCP, VPC Peering or Private Service Connect (PSC) are not required. Since STS operates within Google's private network, data transfers between buckets would remain secure and not exposed to the public internet.

Additionally, I understand that I can use STS with VPC Service Controls (VPC-SC) for enhanced security to define secure perimeters and prevent data exfiltration. Could you kindly confirm if this is correct? I truly appreciate your insights and the resources you provided—they’ve been very helpful.

Thanks again for your support!

Jump to Solution
0 Likes
Top Labels in this Space