Mengizinkan akses ke resource yang dilindungi dari luar perimeter
Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Untuk memberikan akses terkontrol ke resource Google Cloud yang dilindungi di
perimeter layanan dari luar perimeter, gunakan tingkat akses.
Tingkat akses menentukan kumpulan atribut yang harus dipenuhi permintaan agar permintaan
dipenuhi. Tingkat akses dapat mencakup berbagai kriteria, seperti alamat IP dan
identitas pengguna.
Sebelum Anda menggunakan tingkat akses di perimeter, pertimbangkan hal-hal berikut:
Tingkat akses dan aturan masuk
bekerja sama untuk mengontrol traffic masuk ke perimeter.
Kontrol Layanan VPC mengizinkan permintaan jika memenuhi kondisi tingkat akses atau aturan masuk.
Jika Anda menambahkan beberapa tingkat akses ke perimeter layanan,
Kontrol Layanan VPC akan mengizinkan permintaan jika memenuhi kondisi
salah satu tingkat akses.
Batasan penggunaan tingkat akses dengan Kontrol Layanan VPC
Saat menggunakan tingkat akses dengan Kontrol Layanan VPC, batasan tertentu berlaku:
Tingkat akses hanya mengizinkan permintaan dari luar perimeter untuk
resource layanan yang dilindungi di dalam perimeter.
Anda tidak dapat menggunakan tingkat akses untuk mengizinkan permintaan dari resource terlindungi
di dalam perimeter ke resource di luar perimeter. Misalnya,
klien Compute Engine dalam perimeter layanan yang memanggil
operasi create Compute Engine dengan resource image berada di luar
perimeter. Untuk mengizinkan akses dari resource yang dilindungi di dalam perimeter ke resource di luar perimeter, gunakan kebijakan keluar.
Meskipun level akses digunakan untuk mengizinkan permintaan dari luar perimeter layanan,
Anda tidak dapat menggunakan level akses untuk mengizinkan permintaan dari perimeter lain ke resource yang dilindungi di
perimeter Anda. Untuk mengizinkan permintaan dari perimeter lain ke resource yang dilindungi di
perimeter Anda, perimeter lain harus menggunakan kebijakan keluar.
Untuk mengetahui informasi selengkapnya, baca tentang
permintaan antar-perimeter.
Untuk mengizinkan akses perimeter dari resource pribadi yang di-deploy di
project atau organisasi yang berbeda, gateway Cloud NAT diperlukan
di project sumber. Cloud NAT memiliki integrasi dengan Akses Google Pribadi yang otomatis mengaktifkan Akses Google Pribadi di subnet resource, dan membuat traffic ke API dan layanan Google tetap bersifat internal, bukan merutekannya ke internet menggunakan alamat IP eksternal gateway Cloud NAT. Saat traffic dirutekan dalam jaringan Google internal, kolom RequestMetadata.caller_ip dari objek AuditLog disamarkan menjadi gce-internal-ip. Daripada menggunakan alamat IP eksternal gateway Cloud NAT di tingkat akses untuk daftar yang diizinkan berbasis IP, konfigurasikan aturan masuk untuk mengizinkan akses berdasarkan atribut lain seperti project atau akun layanan.
Membuat dan mengelola tingkat akses
Tingkat akses dibuat dan dikelola menggunakan Access Context Manager.
Membuat tingkat akses
Untuk membuat tingkat akses, baca artikel tentang
membuat tingkat akses
dalam dokumentasi Access Context Manager.
Contoh berikut menjelaskan cara membuat level akses menggunakan kondisi
yang berbeda:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-01 UTC."],[],[],null,["# Allow access to protected resources from outside a perimeter\n\nTo grant controlled access to protected Google Cloud resources in\nservice perimeters from outside a perimeter, use **access levels**.\n\nAn access level defines a set of attributes that a request must meet for the request\nto be honored. Access levels can include various criteria, such as IP address and\nuser identity.\n\nFor a detailed overview of access levels, read the\n[Access Context Manager overview](/access-context-manager/docs/overview).\n\nBefore you use access levels in your perimeter, consider the following:\n\n- Access levels and [ingress rules](/vpc-service-controls/docs/ingress-egress-rules#ingress-rules-reference)\n work together to control incoming traffic to a perimeter.\n VPC Service Controls allows a request if it satisfies the conditions of\n either the access level or the ingress rule.\n\n- If you add multiple access levels to a service perimeter,\n VPC Service Controls allows a request if it satisfies the conditions of\n any one of the access levels.\n\nLimitations of using access levels with VPC Service Controls\n------------------------------------------------------------\n\nWhen using access levels with Service Controls, certain limitations apply:\n\n- Access levels only allow requests from *outside* a perimeter for the\n resources of a protected service *inside* a perimeter.\n\n You cannot use access levels to allow requests from a protected resource\n *inside* a perimeter to resources *outside* the perimeter. For example,\n a Compute Engine client within a service perimeter calling a\n Compute Engine `create` operation where the image resource is outside the\n perimeter. To allow access from a protected resource inside a perimeter to\n resources outside the perimeter, use an [egress policy](/vpc-service-controls/docs/configuring-ingress-egress-policies).\n- Even though access levels are used to allow requests from outside a service perimeter,\n you cannot use access levels to allow requests from *another* perimeter to a protected resource in your\n perimeter. To allow requests from *another* perimeter to protected resources in\n your perimeter, the other perimeter must use an [egress policy](/vpc-service-controls/docs/configuring-ingress-egress-policies).\n For more information, read about\n [requests between perimeters](/vpc-service-controls/docs/troubleshooting#requests-between-perimeters).\n\n- To allow perimeter access from private resources deployed in a\n different project or organization, a Cloud NAT gateway is required\n in the source project. [Cloud NAT](/nat/docs/nat-product-interactions#interaction-pga)\n has an integration with [Private Google Access](/vpc/docs/configure-private-google-access)\n that automatically enables Private Google Access on the resource's\n subnet, and keeps the traffic to Google APIs and services internal,\n as opposed to routing it to the internet using the Cloud NAT\n gateway external IP address. As the traffic is routed within the internal\n Google network, the `RequestMetadata.caller_ip` field of the `AuditLog`\n object is redacted to `gce-internal-ip`. Instead of using the\n Cloud NAT gateway external IP address in the access level for\n [IP-based allowlist](/vpc-service-controls/docs/access-level-design#source-ip),\n configure an ingress rule to allow access based on other attributes such as\n the project or service account.\n\nCreate and manage access levels\n-------------------------------\n\nAccess levels are created and managed using Access Context Manager.\n\n### Create an access level\n\nTo create an access level, read about\n[creating an access level](/access-context-manager/docs/create-basic-access-level)\nin the Access Context Manager documentation.\n\nThe following examples explain how to create an access level using different\nconditions:\n\n- [IP address](/access-context-manager/docs/create-basic-access-level#corporate-network-example)\n- [User and service accounts](/access-context-manager/docs/create-basic-access-level#members-example) (principals)\n- [Device policy](/access-context-manager/docs/access-level-attributes#device-policy)\n\n### Add access levels to service perimeters\n\nYou can add access levels to a service perimeter when creating the perimeter,\nor to an existing perimeter:\n\n- Read about\n [adding access levels when you create a perimeter](/vpc-service-controls/docs/create-service-perimeters#external-access)\n\n- Read about\n [adding access levels to an existing perimeter](/vpc-service-controls/docs/manage-service-perimeters#add-access-level)\n\n### Manage access levels\n\nFor information about listing, modifying, and deleting existing access levels,\nread [Managing access levels](/access-context-manager/docs/manage-access-levels).\n\nWhat's next\n-----------\n\n- [Creating an access level](/access-context-manager/docs/create-basic-access-level)\n\n*[VPC]: Virtual Private Cloud"]]
