Stay organized with collections
Save and categorize content based on your preferences.
You can set up a security perimeter that makes sure your Confidential VM instances
can only interact with other Confidential VM instances. This is achieved with the
following services:
Forces all service projects to create Confidential VM instances only.
constraints/compute.restrictSharedVpcHostProjects
under: FOLDER_ID
Prevents projects inside the perimeter from creating another Shared
VPC host project. Replace FOLDER_ID with the
ID
of your confidential-perimeter folder.
constraints/compute.restrictVpcPeering
is: []
Prevents service projects from peering network and network connections
outside of the perimeter.
constraints/compute.vmExternalIpAccess
is: []
Forces all Confidential VM instances in service projects to use internal
IPs.
Prevents all VM instances from defining an internet-visible ingress
point. You may override this for specific projects in your perimeter
that should have ingressโfor example, your perimeter network.
To control network data transfer outside of the perimeter, use
VPC firewall rules.
What's next
You can use VPC Service Controls to extend the security perimeter to cover
Google Cloud resources. To learn more, see Overview of
VPC Service Controls.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eA security perimeter for Confidential VM instances can be established using Shared Virtual Private Cloud (VPC) networks, organization policy constraints, and firewall rules, ensuring that these instances only interact with each other.\u003c/p\u003e\n"],["\u003cp\u003eCreating this perimeter requires specific IAM roles on the organization, including Organization Administrator, Compute Shared VPC Admin, Project IAM Admin, Compute Network User, and Compute Instance Admin.\u003c/p\u003e\n"],["\u003cp\u003eTo establish a perimeter, create a folder named \u003ccode\u003econfidential-perimeter\u003c/code\u003e within your organization, and then create a shared VPC host project inside that folder.\u003c/p\u003e\n"],["\u003cp\u003eEnforcement of the perimeter involves applying organization policy constraints to the \u003ccode\u003econfidential-perimeter\u003c/code\u003e folder, such as restricting non-confidential computing, shared VPC host projects, VPC peering, external IP access, and load balancer creation types.\u003c/p\u003e\n"],["\u003cp\u003eVPC firewall rules are used to control network data transfer outside of the security perimeter.\u003c/p\u003e\n"]]],[],null,["# Restrict VM interaction to Confidential VM only\n\nYou can set up a security perimeter that makes sure your Confidential VM instances\ncan only interact with other Confidential VM instances. This is achieved with the\nfollowing services:\n\n- [Shared Virtual Private Cloud (VPC) networks](/vpc/docs/shared-vpc)\n\n- [Organization policy constraints](/resource-manager/docs/organization-policy/using-constraints)\n\n- [Firewall rules](/vpc/docs/using-firewalls)\n\nA security perimeter can be established around Confidential VM instances that\nreside inside the same project, or in separate projects.\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to create a security perimeter,\n\nask your administrator to grant you the\nfollowing IAM roles on the organization:\n\n- [Organization Administrator](/iam/docs/roles-permissions/resourcemanager#resourcemanager.organizationAdmin) (`roles/resourcemanager.organizationAdmin`)\n- [Compute Shared VPC Admin](/iam/docs/roles-permissions/compute#compute.xpnAdmin) (`roles/compute.xpnAdmin`)\n- [Project IAM Admin](/iam/docs/roles-permissions/resourcemanager#resourcemanager.projectIamAdmin) (`roles/resourcemanager.projectIamAdmin`)\n- [Compute Network User](/iam/docs/roles-permissions/compute#compute.networkUser) (`roles/compute.networkUser`)\n- [Compute Instance Admin](/iam/docs/roles-permissions/compute#compute.instanceAdmin) (`roles/compute.instanceAdmin`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nTo learn more about these roles, see [Required administrative\nroles](/vpc/docs/shared-vpc#iam_roles_required_for_shared_vpc) in the [Shared\nVPC overview](/vpc/docs/shared-vpc).\n\nCreate a Confidential VM perimeter\n----------------------------------\n\nTo create a security perimeter around your Confidential VM instances, complete the\nfollowing instructions:\n\n1. Create a [folder](/resource-manager/docs/creating-managing-folders) in your\n organization called `confidential-perimeter`.\n\n2. Inside the folder,\n [create a shared VPC host project](/vpc/docs/provisioning-shared-vpc).\n This defines the Confidential VM perimeter.\n\nAfter you've created a VPC host project, share the project by\ngranting your networking team access.\n\nEnforce the perimeter\n---------------------\n\nTo prevent\n[service projects](/vpc/docs/shared-vpc#shared_vpc_host_project_and_service_project_associations)\nfrom allowing non-Confidential VM instances from interacting with the perimeter,\n[apply the following organization policy constraints](/resource-manager/docs/organization-policy/using-constraints)\nto your `confidential-perimeter` folder as indicated.\n\nTo control network data transfer outside of the perimeter, use\n[VPC firewall rules](/vpc/docs/using-firewalls).\n\nWhat's next\n-----------\n\nYou can use VPC Service Controls to extend the security perimeter to cover\nGoogle Cloud resources. To learn more, see [Overview of\nVPC Service Controls](/vpc-service-controls/docs/overview)."]]
