![](\"https://lh5.googleusercontent.com/Q4j91EAeutH7NCB7zn3tHGy1NItzgj0vhkzBT3TeRA7TDhfB97YCop6TjWNcapmNhZ32IwQ1y0Tj7EkdbPjp8X3PL9yyTFObCjraHuF5aRtDbhZfwY3uD8XXbWkmMxGIlvcrY7bD\")
Hybrid workloads can be described as a configuration in which workloads are deployed across multiple computing environments, one based in the public cloud and at least one being private.
\nThere are several ways to connect on-premises workloads with Google Cloud APIs and Services. For example, you could consume them directly via their internet-facing endpoints, through a Cloud VPN, or work with a dedicated partner to enable Cloud Interconnect.
\nThis blog post will look at how Service Perimeters and Private Google Access can help secure hybrid workloads.
\nA service perimeter is a security boundary that you can configure to control communications between your compute resources and Google Cloud APIs and Services. It allows free communication inside the perimeter but blocks all communication crossing the perimeter.
\nService Perimeters are defined as VPC Service Controls at the Organization level in Google Cloud. VPC Service Perimeters function like a firewall for GCP APIs.
\nUsing VPC Service controls, you can restrict access to selected APIs to only authorized projects or service accounts. These service controls provide an extra layer of security that is independent of Identity and Access Management.
\nPrivate Google Access is a way for on-premises hosts to connect to Google APIs and services by routing traffic through a Cloud VPN Tunnel or a Cloud Interconnect instead of across the internet. Private Google Access allows hosts and workloads in a VPC or on-premise network configured with private (RFC1918) IP addresses to securely connect to the APIs and services.
\nGoogle publishes DNS records for two Virtual IPs (VIPs) to enable private access: private.googleapis.com and restricted.googleapis.com. All requests for APIs and services that use either of these two VIPs are routed through Google's network.
\nLet's look at an example use case to illustrate how to use these features together to secure a hybrid workload.
\nAcme Co., a data processing company, is migrating an in-house application to Anthos GKE on VMware. The application processes documents containing hand-written notes and transcribes the handwritten information with the Cloud Vision API. They also consume other Google services, such as Cloud CDN, for their website and other services needed to support their business.
\nAcme Co. can leverage Private Google Access, Cloud Interconnect, and service perimeters to restrict access to the APIs and services needed by the application.
\nTo securely route requests from their Anthos GKE environment without interrupting access to the other services needed by the business, they configure access to private.googleapis.com by creating the appropriate DNS entries in their on-premises DNS provider. This allows the on-premise environment to interact with the Google Cloud APIs needed through the Cloud Interconnect without impacting access to other Google APIs.
\nBy creating a Service Perimeter containing the Cloud Storage API, Cloud Vision API, the Google Cloud Project(s) for Anthos GKE on VMware, Acme Co. can restrict access to only the services and service accounts required by the application. In addition, access to the GCS buckets where both the pre and post-processed documents reside is protected from unauthorized data access, and access to resources outside the perimeter is restricted. This prevents reading or copying of the data outside of the authorized environment.
\nBy combining Private Google Access with a Cloud Interconnect, Acme Co. ensures that all traffic related to the application remains on well-known networks.
\nThis combination of Service Perimeters, Private Google Access and Cloud Interconnect allows Acme Co to secure and audit the document environment throughout the application life cycle.
\nAre you considering Cloud Interconnect or creating service perimeters for your workloads? We'd love to help! Contact us to get started.
\nAbout the Author: Jenn Viau | Principal Cloud Consultant
\nJenn brings almost two decades of experience in infrastructure, automation, configuration management, and architecture. In her previous roles, she worked with teams to design, deploy, and operate scalable, cloud-native platforms. Jenn is passionate about exploring new approaches, tools, and methodologies and helping customers find the \"right\" way and \"right\" tooling to get things done.
![](\"https://lh4.googleusercontent.com/wwB-7wUb402o-EpOQNGvSRcNt5r_k_sM9SVlU2UT8Dag63EfPqag0L_cKlPkIr82XmIVzb0MJA6hfzQZfKMwZ7Gj12dTdat_ZHBWZ9YPIflmWKiG8rKzWFfZryAC87UcTfX2XY1-\")