I've the following GCP resources:
My Service Perimeter protects three projects: network, Apps1 and project-rec. It protects Google Cloud Storage API, Pub/Sub, GKE Connect API and Kubernetes Engine API.
gsutil ls gs://test-bucket/
gives the following results:
Is it possible to have different perimeters on Service Projects that belong to the same Host Project? If so, what I'm doing wrong?
Thanks.
Currently, VPC Service Controls (VPC-SC) can only segment resources by VPC networks i.e. all VMs / Pods in a Shared VPC network always belong to the same Service Perimeter (segment) created by VPC-SC. Sub-VPC segmentation is currently not supported by VPC-SC.
By adding Apps1 to the Service Perimeter, all sub-nets of the Shared VPC(s) in the host Project are part of that Perimeter. Thus, the product is behaving as expected here as "project-dev", "snet-dev", "project-rec", and "snet-rec" are in the same service perimeter.