Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Google Cloud Platform (GCP) Virtual Private Cloud (VPC) Service Controls provide an extra layer of security by defining perimeters that isolate and protect sensitive resources. Each perimeter can encompass one or more projects, restricting access to Google services from outside the defined boundary.
To allow Microsoft Defender for Cloud to scan resources within these protected environments, you need to configure ingress and egress policies that allow Defender for Cloud service accounts to operate within the perimeter. This configuration ensures that security scans can be performed without compromising the integrity of the perimeter’s restrictions.
If you're unsure whether your Defender for Cloud account is experiencing issues with VPC Service Controls, you can check your GCP Logs Explorer to find out.
Prerequisites
Before you configure VPC Service Controls for Defender for Cloud, make sure you have the following prerequisites:
A Microsoft Azure subscription. If you don't have one, you can sign up for a free Azure subscription.
Microsoft Defender for Cloud set up on your Azure subscription.
Contributor level permission for the relevant Azure subscription.
Add ingress and egress policies
Each VPC Service Controls perimeter in GCP protects one or more projects. Configure any perimeter that restricts Google Services so Defender for Cloud can scan the projects in that perimeter.
Sign in to your GCP project.
Navigate to Security > VPC Service Controls.
Select Edit.
Under the Ingress policy, add the following service accounts:
serviceAccount:mdc-agentless-scanning@guardians-prod-diskscanning.iam.gserviceaccount.comserviceAccount:microsoft-defender-cspm@eu-secure-vm-project.iam.gserviceaccount.com
Note
If the microsoft-defender-cspm service account name was changed when the GCP project was connected to MDC, make sure to edit the service account with the correct name. The name can be found by navigating to IAM & Admin permissions in your GCP project.
Under the Egress policy, add the following service accounts:
serviceAccount:mdc-agentless-scanning@guardians-prod-diskscanning.iam.gserviceaccount.com
Select Save.
Defender for Cloud triggers agentless disk scanning with API calls. You'll know this configuration works after the next scheduled scan API call, which can take up to 24 hours.