Enhance security with VPC Service Controls

VPC Service Controls enhance the security of your data by allowing you to define a service perimeter around Google Cloud resources. This service perimeter constrains the movement of data across the perimeter boundary, which mitigates data exfiltration risks.

Learn more about VPC Service Controls

Prerequisites

This article assumes that you previously:

  • Designated an admin project in your Ads Data Hub account.
  • Updated your service account to an email address containing gcp-sa-adsdatahub.iam.gserviceaccount.com. If you haven't done this, or are unsure whether you need to, contact Ads Data Hub support.
  • Contacted Ads Data Hub support to configure your account for VPC Service Controls.

Enable VPC Service Controls

If you haven't previously set up VPC Service Controls, refer to the VPC Service Controls quickstart. The quickstart will guide you through the initial setup of VPC Service Controls. Once you have completed the quickstart, follow the instructions below.

Ads Data Hub-specific setup

  1. Navigate to the VPC Service Controls console and select an existing service perimeter.
  2. Add the projects that you want to secure within the perimeter. You must include the admin project and any projects you use for input or output data in Ads Data Hub.
  3. Add Ads Data Hub and BigQuery as restricted services within the perimeter.
    1. VPC Service Controls recommends restricting all services in the perimeter.

Limitations

Certain Ads Data Hub features (such as custom audience activation, user-provided data matching, and LiveRamp match tables) require certain user data to be exported outside of the VPC Service Controls perimeter. If Ads Data Hub is added as a restricted service, it will bypass VPC Service Controls policies for these features in order to retain their capabilities.

All dependent services must be included as allowed services in the same VPC Service Controls perimeter. For example, since Ads Data Hub relies on BigQuery, BigQuery must also be added. In general, VPC Service Controls best practices recommend including all services in the perimeter, i.e. "restricting all services".

Customers with dual-tier Ads Data Hub account structures, such as agencies with subsidiaries, should have all of their admin projects in the same perimeter. For simplicity, Ads Data Hub recommends that customers with dual-tier account structures restrict their admin projects to the same Google Cloud organization.