Documentation

Google VPC Service Controls (VPC-SC)

Learn how to configure Google Cloud VPC Service Controls to integrate Ternary within a secured service perimeter.

Organizations using Google Cloud VPC Service Controls can allow Ternary to access BigQuery billing export datasets by applying a VPC Service Controls policy within the service perimeter. Ternary provides a policy template that defines the required access levels and ingress and egress rules needed for the integration.

  • The template includes placeholders that must be replaced with organization specific values.
  • Parameters shown in CODE BLOCKS such as Service_Account_ID and Source_Dataset_Project_Number are unique to the organization.
  • Parameters shown in bold, such as project IDs, are provided by the Ternary account team.

Ternary uses different project identifiers depending on the region hosting the Ternary environment. Separate parameter sets exist for Americas hosted environments and EU hosted environments. The Ternary account team can confirm which region applies to the tenant.

Required parameters

  • SERVICE_ACCOUNT_ID - The Ternary service account used to access BigQuery billing export data. Example: [email protected]
  • SOURCE_DATASET_PROJECT_NUMBER: The project number containing the BigQuery billing export dataset that Ternary will access.

Access level configuration

Access Level stanza

TERNARY_ALLOWED_SA = {
combining_function = "AND"
conditions = [{
ip_subnetworks = []
required_access_levels = null
members = ["SERVICE_ACCOUNT_ID"]
negate = false
regions = null
}]
}

Ingress Policy stanza

ternary_policy_in = {
ingress_from = {
identity_type = "ANY_IDENTITY"
sources = {
resource = "projects/111111111111"
}
}
ingress_to = {
resources = ["projects/SOURCE_DATASET_PROJECT_NUMBER"]
operations = {
"bigquery.googleapis.com" = [{ method = "" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "" }],
"cloudasset.googleapis.com" = [{ method = "" }],
"cloudresourcemanager.googleapis.com" = [{ method = "" }],
"monitoring.googleapis.com" = [{ method = "" }],
"recommender.googleapis.com" = [{ method = "" }],
}
}
}

Egress Policy stanza

ternary_policy_out = {
egress_from = {
identity_type = "ANY_IDENTITY"
}
egress_to = {
resources = ["projects/111111111111","projects/222222222222","projects/333333333333"]
operations = {
"bigquery.googleapis.com" = [{ method = "" }],
"bigquerydatatransfer.googleapis.com" = [{ method = "" }],
"cloudasset.googleapis.com" = [{ method = "" }],
"cloudresourcemanager.googleapis.com" = [{ method = "" }],
"monitoring.googleapis.com" = [{ method = "" }],
"recommender.googleapis.com" = [{ method = "" }],
}
}
}

Updated 14 days ago