Skip to content

Cloud Interconnect Setup

Dedicated Interconnect provisioning, VLAN attachment configuration, and redundancy setup for the GCP Vertex AI landing zone.

Administrative Access

┌─────────────────────────────────────────────────────────────────────────────┐
│                         ADMIN ACCESS PATH                                    │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────┐           │
│  │ GCP Console & ML Dashboard                                  │           │
│  │ ─────────────────────────────────────────────────────────   │           │
│  │ Access: https://console.cloud.google.com                    │           │
│  │         https://wxcc-ml-dashboard.abhavtech.com             │           │
│  │                                                              │           │
│  │ Route: User → SD-WAN Edge → Umbrella SASE → Internet → GCP │           │
│  │ Security: Duo MFA + Azure AD SSO + TLS 1.3                  │           │
│  └─────────────────────────────────────────────────────────────┘           │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

GCP Services Architecture

Core Services (With Critical Security Enhancements)

Service Purpose Security Enhancement
Contact Center AI (CCAI) Platform Purpose-built WxCC analytics ✅ VPC Service Controls perimeter
Agent Assist Real-time agent coaching ✅ Private Service Connect
Dialogflow CX IVR NLU optimization ✅ VPC Service Controls
Vertex AI Speech-to-Text Call transcription ✅ DLP API (PII redaction)
Vertex AI NLU Sentiment analysis ✅ DLP API (PII redaction)
BigQuery (WxCC Dataset) CDR, metrics storage ✅ Column-level encryption (CMEK)
Cloud Storage (Recordings) 90-day retention ✅ Bucket-level encryption (CMEK)
Vertex AI Custom Training Churn/CSAT models ✅ Model Monitoring enabled
Vertex AI Feature Store Centralized features ✅ Access controls (IAM)
Cloud DLP PII redaction ✅ CRITICAL for PCI-DSS

Critical Security Services (DEEP DIVE)

1. VPC Service Controls (Perimeter Security)

Purpose: Create security perimeter around WxCC-sensitive GCP resources to prevent data exfiltration.

Architecture:

┌─────────────────────────────────────────────────────────────────────────────┐
│                    VPC SERVICE CONTROLS PERIMETER                            │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  ┌─────────────────────────────────────────────────────────────────┐       │
│  │ TRUSTED ZONE (Inside Perimeter)                                 │       │
│  │ ─────────────────────────────────────────────────────────────   │       │
│  │                                                                  │       │
│  │  ┌──────────────────┐  ┌──────────────────┐  ┌───────────────┐│       │
│  │  │ Vertex AI        │  │ BigQuery         │  │ Cloud Storage ││       │
│  │  │ (Speech, NLU,    │  │ (wxcc_analytics) │  │ (recordings)  ││       │
│  │  │  Training)       │  │                  │  │               ││       │
│  │  └──────────────────┘  └──────────────────┘  └───────────────┘│       │
│  │                                                                  │       │
│  │  INGRESS POLICY:                                                │       │
│  │  ✅ Allow from: WxCC Cloud IPs (52.x.x.x/16)                   │       │
│  │  ✅ Allow from: Abhavtech Admin IPs (10.252.0.0/16 via NAT)    │       │
│  │  ❌ Block: All other public internet sources                   │       │
│  │                                                                  │       │
│  │  EGRESS POLICY:                                                 │       │
│  │  ✅ Allow to: WxCC Webhook API (webhook.wxcc-us1.cisco.com)    │       │
│  │  ✅ Allow to: Splunk On-Prem (10.252.100.50 via Cloud VPN)     │       │
│  │  ❌ Block: All other destinations (prevents data exfiltration) │       │
│  │                                                                  │       │
│  └─────────────────────────────────────────────────────────────────┘       │
│                                                                              │
│  ❌ BLOCKED SCENARIOS:                                                      │
│  ─────────────────────────────────────────────────────────────────          │
│  • Compromised VM tries to copy recordings to attacker's S3 bucket → BLOCKED│
│  • Malicious script tries to exfiltrate BigQuery data to pastebin → BLOCKED│
│  • Admin accidentally misconfigures public bucket → BLOCKED by policy       │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

Configuration (Terraform):

# VPC Service Controls Perimeter

resource "google_access_context_manager_service_perimeter" "wxcc_perimeter" {
  parent = "accessPolicies/${var.access_policy_id}"
  name   = "accessPolicies/${var.access_policy_id}/servicePerimeters/wxcc_data"
  title  = "WxCC Sensitive Data Perimeter"

  status {
    restricted_services = [
      "bigquery.googleapis.com",
      "storage.googleapis.com",
      "aiplatform.googleapis.com",
      "speech.googleapis.com",
      "language.googleapis.com"
    ]

    resources = [
      "projects/123456789"  # abhavtech-wxcc-prod project
    ]

## INGRESS: Who can access resources inside perimeter

    ingress_policies {
      ingress_from {
        sources {
          access_level = google_access_context_manager_access_level.wxcc_source.id
        }
        identity_type = "ANY_IDENTITY"
      }
      ingress_to {
        resources = ["*"]
        operations {
          service_name = "bigquery.googleapis.com"
          method_selectors {
            method = "*"
          }
        }
      }
    }

## EGRESS: Where can data go from inside perimeter

    egress_policies {
      egress_from {
        identity_type = "ANY_IDENTITY"
      }
      egress_to {
        resources = ["projects/987654321"]  # Allow to Splunk integration project only
        operations {
          service_name = "storage.googleapis.com"
          method_selectors {
            method = "google.storage.objects.get"
          }
        }
      }
    }
  }
}

## Access Level (Who can access)

resource "google_access_context_manager_access_level" "wxcc_source" {
  parent = "accessPolicies/${var.access_policy_id}"
  name   = "accessPolicies/${var.access_policy_id}/accessLevels/wxcc_sources"
  title  = "WxCC Trusted Sources"

  basic {
    conditions {
      ip_subnetworks = [
        "52.0.0.0/8",        # WxCC Cloud IP ranges
        "203.0.113.0/24"    # Abhavtech Cloud NAT (for admin access)
      ]
    }
  }
}