Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Google Cloud Platform (GCP) Virtual Private Cloud (VPC) Service Controls provide an extra layer of security by defining perimeters that isolate and protect sensitive resources. Each perimeter can encompass one or more projects, restricting access to Google services from outside the defined boundary.
To allow Microsoft Defender for Cloud to scan resources within these protected environments, you need to configure ingress and egress policies that allow Defender for Cloud service accounts to operate within the perimeter. This configuration ensures that security scans can be performed without compromising the integrity of the perimeter’s restrictions.
If you're unsure whether your Defender for Cloud account is experiencing issues with VPC Service Controls, you can check your GCP Logs Explorer to find out.
Prerequisites
A Microsoft Azure subscription. If you don't have an Azure subscription, you can sign up for a free one.
Microsoft Defender for Cloud set up on your Azure subscription.
Contributor level permission for the relevant Azure subscription.
Add ingress and egress policies
Each VPC Service Controls perimeter in GCP protects one or more projects. Configure any perimeter that restricts Google Services to allow Defender for Cloud to scan the relevant projects.
Sign in to your GCP project.
Navigate to Security > VPC Service Controls.
Select Edit.
Under the Ingress policy, add the following service accounts:
serviceAccount:mdc-agentless-scanning@guardians-prod-diskscanning.iam.gserviceaccount.comserviceAccount:microsoft-defender-cspm@eu-secure-vm-project.iam.gserviceaccount.com
Note
If the microsoft-defender-cspm service account name was changed when the GCP project was connected to MDC, make sure to edit the service account with the correct name. The name can be found by navigating to IAM & Admin permissions in your GCP project.
Under the Egress policy, add the following service accounts:
serviceAccount:mdc-agentless-scanning@guardians-prod-diskscanning.iam.gserviceaccount.com
Select Save.
Defender for Cloud triggers agentless disk scanning with API calls. You'll know that everything works after the next API call, which takes up to 24 hours to occur, when results for agentless scanning are generated.