Certificate Authority as a Service

CAs as a service are part of GCP's offerings now.

Certificate Authority as a Service, like all GCP networking services, are tied to a VPC within a project (just like a Cloud SQL Service would be).

Hence, being tied to a VPC, these CAS can be protected by VPC Service Controls and a VPC service perimeter.

A VPC Service Perimeter's access can be one of 4 types

  1. Perimeter Bridge - Service to Service Perimeter Access
  2. External Ingress Access
  3. Egress to External Targets
  4. Access Levels

Access Levels define a way to protect data per data classification. E.g. - a HIGH access level can be created and tied to data in a specific storage bucket or compute instance (persistent disk).

Summary

Now that CAs as a service are part of GCP's offerings, one can use regular VPC Service Controls and Perimeters to protect this service.