What are the best networking services/products for securely connecting two different organizations in GCP to enable bidirectional data transfer from bucket to bucket without exposing the data to the public internet?
I understand that VPC Peering and Private Service Connect are two possible solutions for this scenario. Could you provide insights on the advantages and limitations of each for this use case? How can each be configured to ensure secure data transfer between organizations while keeping the data off the public internet?
Both VPC Peering and Private Service Connect can be effective solutions for secure connection between two different organizations in Google Cloud Platform (GCP) and enable bidirectional data transfer.
VPC Peering is a method of connecting two Virtual Private Clouds (VPCs) so that resources in both VPCs can communicate with each other using private IP addresses. Traffic between the two VPCs remains within Google’s network and is not exposed to the public internet, ensuring security.
Note that you need to configure IAM policies to grant the appropriate permissions for each Cloud Storage bucket, after creating the peering connection between the two VPCs in each separate organization).
Enable Private Google Access on the VPC subnets to ensure that API requests to Google Cloud services, including Cloud Storage, are routed over Google’s private network.
Misconfigurations can still lead to data exposure. You’ll need careful firewall rules on both sides to restrict access to only the necessary resources.
VPC peering is non-transitive, meaning if there are more than two VPCs, one cannot route traffic through a peered VPC to another VPC.
PSC allows the creation of private endpoints for services like Cloud Storage. This can enable secure data transfers between organizations over private IPs.
Unlike VPC peering, which relies on network-level security, PSC provides additional layers of service-level security, such as granular access policies on the service itself.
No IP Overlap Issues since PSC doesn’t have the same IP range restrictions as VPC Peering, so it’s useful in situations where the VPCs might have overlapping IP ranges.
You’ll need to configure DNS routing for the Cloud Storage service so that requests are directed to the private endpoints.
Set IAM policies to ensure that each organization has the appropriate permissions to access the Cloud Storage buckets.
You can use PSC if you want to use only private IPs to access your Cloud Run(and other google published services) or other third party services. You may check this list for reference.
Thank you for the detailed explanation and for welcoming me to the Google Cloud Community!
I wanted to confirm my understanding: If I am using Google Storage Transfer Service (STS) to transfer data between two organizations’ Cloud Storage buckets within GCP, VPC Peering or Private Service Connect (PSC) are not required. Since STS operates within Google’s private network, data transfers between buckets would remain secure and not exposed to the public internet.
Additionally, I understand that I can use STS with VPC Service Controls (VPC-SC) for enhanced security to define secure perimeters and prevent data exfiltration. Could you kindly confirm if this is correct? I truly appreciate your insights and the resources you provided—they’ve been very helpful.