Cloud Interconnect Setup¶
Dedicated Interconnect provisioning, VLAN attachment configuration, and redundancy setup for the GCP Vertex AI landing zone.
Administrative Access¶
┌─────────────────────────────────────────────────────────────────────────────┐
│ ADMIN ACCESS PATH │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────┐ │
│ │ GCP Console & ML Dashboard │ │
│ │ ───────────────────────────────────────────────────────── │ │
│ │ Access: https://console.cloud.google.com │ │
│ │ https://wxcc-ml-dashboard.abhavtech.com │ │
│ │ │ │
│ │ Route: User → SD-WAN Edge → Umbrella SASE → Internet → GCP │ │
│ │ Security: Duo MFA + Azure AD SSO + TLS 1.3 │ │
│ └─────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
GCP Services Architecture¶
Core Services (With Critical Security Enhancements)¶
| Service | Purpose | Security Enhancement |
|---|---|---|
| Contact Center AI (CCAI) Platform | Purpose-built WxCC analytics | ✅ VPC Service Controls perimeter |
| Agent Assist | Real-time agent coaching | ✅ Private Service Connect |
| Dialogflow CX | IVR NLU optimization | ✅ VPC Service Controls |
| Vertex AI Speech-to-Text | Call transcription | ✅ DLP API (PII redaction) |
| Vertex AI NLU | Sentiment analysis | ✅ DLP API (PII redaction) |
| BigQuery (WxCC Dataset) | CDR, metrics storage | ✅ Column-level encryption (CMEK) |
| Cloud Storage (Recordings) | 90-day retention | ✅ Bucket-level encryption (CMEK) |
| Vertex AI Custom Training | Churn/CSAT models | ✅ Model Monitoring enabled |
| Vertex AI Feature Store | Centralized features | ✅ Access controls (IAM) |
| Cloud DLP | PII redaction | ✅ CRITICAL for PCI-DSS |
Critical Security Services (DEEP DIVE)¶
1. VPC Service Controls (Perimeter Security)¶
Purpose: Create security perimeter around WxCC-sensitive GCP resources to prevent data exfiltration.
Architecture:
┌─────────────────────────────────────────────────────────────────────────────┐
│ VPC SERVICE CONTROLS PERIMETER │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ TRUSTED ZONE (Inside Perimeter) │ │
│ │ ───────────────────────────────────────────────────────────── │ │
│ │ │ │
│ │ ┌──────────────────┐ ┌──────────────────┐ ┌───────────────┐│ │
│ │ │ Vertex AI │ │ BigQuery │ │ Cloud Storage ││ │
│ │ │ (Speech, NLU, │ │ (wxcc_analytics) │ │ (recordings) ││ │
│ │ │ Training) │ │ │ │ ││ │
│ │ └──────────────────┘ └──────────────────┘ └───────────────┘│ │
│ │ │ │
│ │ INGRESS POLICY: │ │
│ │ ✅ Allow from: WxCC Cloud IPs (52.x.x.x/16) │ │
│ │ ✅ Allow from: Abhavtech Admin IPs (10.252.0.0/16 via NAT) │ │
│ │ ❌ Block: All other public internet sources │ │
│ │ │ │
│ │ EGRESS POLICY: │ │
│ │ ✅ Allow to: WxCC Webhook API (webhook.wxcc-us1.cisco.com) │ │
│ │ ✅ Allow to: Splunk On-Prem (10.252.100.50 via Cloud VPN) │ │
│ │ ❌ Block: All other destinations (prevents data exfiltration) │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ ❌ BLOCKED SCENARIOS: │
│ ───────────────────────────────────────────────────────────────── │
│ • Compromised VM tries to copy recordings to attacker's S3 bucket → BLOCKED│
│ • Malicious script tries to exfiltrate BigQuery data to pastebin → BLOCKED│
│ • Admin accidentally misconfigures public bucket → BLOCKED by policy │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Configuration (Terraform):
# VPC Service Controls Perimeter
resource "google_access_context_manager_service_perimeter" "wxcc_perimeter" {
parent = "accessPolicies/${var.access_policy_id}"
name = "accessPolicies/${var.access_policy_id}/servicePerimeters/wxcc_data"
title = "WxCC Sensitive Data Perimeter"
status {
restricted_services = [
"bigquery.googleapis.com",
"storage.googleapis.com",
"aiplatform.googleapis.com",
"speech.googleapis.com",
"language.googleapis.com"
]
resources = [
"projects/123456789" # abhavtech-wxcc-prod project
]
## INGRESS: Who can access resources inside perimeter
ingress_policies {
ingress_from {
sources {
access_level = google_access_context_manager_access_level.wxcc_source.id
}
identity_type = "ANY_IDENTITY"
}
ingress_to {
resources = ["*"]
operations {
service_name = "bigquery.googleapis.com"
method_selectors {
method = "*"
}
}
}
}
## EGRESS: Where can data go from inside perimeter
egress_policies {
egress_from {
identity_type = "ANY_IDENTITY"
}
egress_to {
resources = ["projects/987654321"] # Allow to Splunk integration project only
operations {
service_name = "storage.googleapis.com"
method_selectors {
method = "google.storage.objects.get"
}
}
}
}
}
}
## Access Level (Who can access)
resource "google_access_context_manager_access_level" "wxcc_source" {
parent = "accessPolicies/${var.access_policy_id}"
name = "accessPolicies/${var.access_policy_id}/accessLevels/wxcc_sources"
title = "WxCC Trusted Sources"
basic {
conditions {
ip_subnetworks = [
"52.0.0.0/8", # WxCC Cloud IP ranges
"203.0.113.0/24" # Abhavtech Cloud NAT (for admin access)
]
}
}
}