Module 2 · GCP Advanced — VPC-SC, WIF, Confidential Computing

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 22, 2026
5 min read
Read as

Last updated: April 29, 2026

VPC Service Controls, Workload Identity Federation, BeyondCorp, Confidential VMs, Assured Workloads, EKM.

This module covers advanced GCP security topics that come up in larger or regulated GCP deployments — VPC Service Controls, Workload Identity Federation, BeyondCorp Enterprise, Confidential Computing, and the assured-workload products for regulated industries. Material here assumes you’ve done Module 1 (GCP fundamentals) and are operating multi-project, multi-environment GCP at scale.

VPC Service Controls (VPC-SC) — the data exfiltration perimeter

VPC-SC creates a security perimeter around GCP services. Resources inside the perimeter (BigQuery datasets, GCS buckets, etc.) cannot be accessed by clients outside the perimeter — even with valid IAM credentials. This is the answer to “valid creds compromised → data exfiltrated.”

Perimeter components

  • Perimeter: a boundary around projects + services
  • Restricted services: which services are protected (e.g., bigquery.googleapis.com, storage.googleapis.com)
  • Access levels: conditions for crossing the perimeter (specific IPs, identity, device, time-of-day)
  • Ingress / Egress rules: explicit allowances for cross-perimeter traffic
  • Bridge perimeters: connect projects across two perimeters

Practical pattern

PRODUCTION PERIMETER
  ├─ Projects: prod-app, prod-data
  ├─ Restricted services: bigquery, storage, cloudkms, pubsub
  ├─ Access level "corp-network": from corporate IP ranges + verified devices
  ├─ Ingress rule: from CI service accounts (specific) → bigquery (specific tables)
  └─ Egress rule: prod-app → ext-vendor-bucket (specific external GCS)

An attacker with a stolen prod service account key from outside the corp network cannot dump BigQuery — VPC-SC denies the call regardless of IAM permissions.

Operational reality

  • VPC-SC is unforgiving — misconfiguration breaks production access
  • Use Dry Run mode for weeks before enforcement
  • “VPC accessible services” allow-list takes time to get right
  • External services (third-party SaaS connecting to your BigQuery) need explicit ingress rules
Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 1
Module 1 · Google Cloud Platform Security
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Intermediate

Resource hierarchy, IAM, service accounts, network, GCS/SQL/GKE/KMS hardening, Security Command Center.

Apr 22, 2026 · 5 min read
Academy
Module 3 · Beginner

Last updated: April 29, 2026 GCP’s hierarchy is the foundation of multi-project security. Levels Organisation —…

Apr 27, 2026 · 1 min read
Academy
Module 4 · Advanced

Last updated: April 29, 2026 VPC Service Controls = GCP’s data-exfiltration defence. Define a perimeter; data…

Apr 27, 2026 · 1 min read