Google Cloud Access Context Manager Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security

by

Category

Security

1. Introduction

Access Context Manager is a Google Cloud Security service for defining context-based access policies for your organization. It lets you control where requests come from and under what conditions users and services can access Google Cloud resources—beyond what Identity and Access Management (IAM) can express on its own.

In simple terms: IAM answers “who can do what.” Access Context Manager adds “from where, and under what conditions.” You define conditions such as source IP ranges, device posture signals (when available), user identity attributes, and then apply those conditions to protect sensitive Google Cloud services.

Technically, Access Context Manager is the policy engine used to create: – Access levels (for context-aware access decisions) – Service perimeters and related rules (used by VPC Service Controls) to reduce data exfiltration risk from Google Cloud managed services (like Cloud Storage and BigQuery) and to enforce stronger security boundaries around projects.

It solves a common problem in cloud security: perimeter-based controls don’t map cleanly to identity-first cloud access. Access Context Manager helps you implement a modern, conditional, centrally governed access model across your Google Cloud organization—especially for high-value data services.

Service status note: Access Context Manager is an active, current Google Cloud service name and is the official place to configure access levels and VPC Service Controls perimeters. Some capabilities around device signals may depend on your identity/device management setup; verify exact prerequisites in official docs if you plan to use device-based conditions.

2. What is Access Context Manager?

Official purpose

Access Context Manager provides an organization-level policy framework to define and enforce context-aware access across Google Cloud. It is commonly used in two major areas: 1. Context-aware access (via Access levels) 2. VPC Service Controls (via Service perimeters, ingress/egress rules, and dry-run modes)

Official docs: https://cloud.google.com/access-context-manager/docs/overview

Core capabilities

  • Define Access Policies at the organization level (the container for context policies)
  • Create Access Levels that describe conditions a request must satisfy (for example, IP ranges, identity attributes, and other supported signals)
  • Create Service Perimeters (and bridges) to protect Google Cloud services and reduce data exfiltration risk (VPC Service Controls)
  • Define Ingress/Egress rules to carefully allow required access paths while blocking everything else by default
  • Run dry-run (test) mode to observe enforcement impact before turning it on
  • Manage policies through Cloud Console, API, CLI, and Infrastructure as Code tooling (for example, Terraform)

Major components

Component What it is Why it matters
Access Policy Top-level container in Access Context Manager Centralizes rules at the org level; required for access levels/perimeters
Access Level A set of conditions describing “trusted access” Reusable building blocks for context-aware access and VPC SC
Service Perimeter A boundary around one or more projects and services Core of VPC Service Controls; reduces data exfiltration
Perimeter Bridge A special perimeter to connect multiple perimeters Enables controlled communication between protected environments
Ingress/Egress Rules Fine-grained allow rules for traffic crossing a perimeter boundary Avoids overly broad exceptions
Dry-run Non-enforcing mode that logs what would be blocked Safer rollout and change management

Service type

  • Policy/configuration service used by enforcement points in Google Cloud (for example, VPC Service Controls and context-aware access integrations).
  • It is not a data plane service that processes your application traffic like a proxy.

Scope (org/global vs project)

Access Context Manager is primarily organization-scoped: – Policies, access levels, and service perimeters are typically defined at the Organization level and can include multiple projects. – You generally need a Google Cloud Organization (often backed by Cloud Identity or Google Workspace) to use it effectively.

How it fits into the Google Cloud ecosystem

Access Context Manager works alongside: – IAM: identity and permissions (“who can do what”) – VPC Service Controls: service perimeter enforcement to protect Google-managed services – Cloud Identity / Google Workspace: user and device management signals (when applicable) – Cloud Logging / Cloud Audit Logs: observability, troubleshooting, evidence for compliance – Security Command Center: security posture visibility and findings (integration depends on your setup)

3. Why use Access Context Manager?

Business reasons

  • Reduce the likelihood and blast radius of data exfiltration
  • Enforce consistent access policy across business units using central governance
  • Support compliance goals by limiting access to sensitive systems to approved contexts (IP ranges, trusted networks, managed devices—depending on what you implement)

Technical reasons

  • Add conditional access controls that complement IAM
  • Define service perimeters around projects that host sensitive data (for example, analytics data in BigQuery or regulated objects in Cloud Storage)
  • Create reusable access levels and apply them consistently to multiple protected environments

Operational reasons

  • Central place to manage context-based access boundaries
  • Dry-run mode supports safer rollouts and reduces outage risk during enforcement
  • Auditability through logged violations and access decisions

Security/compliance reasons

  • Helps implement BeyondCorp-style access patterns (trust based on context rather than network location alone)
  • Adds layered defense: IAM + context + perimeter controls
  • Supports separation of environments (prod vs non-prod) with stronger control planes

Scalability/performance reasons

  • Policy-driven enforcement scales across many projects without requiring custom proxies for every workload
  • Reduces complexity compared to per-application conditional checks

When teams should choose it

  • You have an Organization and need organization-wide guardrails
  • You handle sensitive data in Google-managed services (Cloud Storage, BigQuery, Pub/Sub, etc.)
  • You want to reduce risk from stolen credentials or overly broad API access by adding context constraints
  • You need controlled collaboration between teams/projects without opening everything to the internet

When teams should not choose it

  • You only have a single project with no Organization (Access Context Manager is generally org-centric)
  • Your workload doesn’t use Google-managed APIs where VPC Service Controls applies, and you only need IAM
  • You’re looking for a network firewall for VM-to-VM traffic (use VPC firewall rules, Cloud Firewall policies, or third-party firewalls instead)
  • You cannot invest in design/testing; a poorly planned perimeter can block legitimate workflows

4. Where is Access Context Manager used?

Industries

  • Financial services (PCI, fraud analytics, sensitive customer data)
  • Healthcare and life sciences (regulated data, HIPAA-aligned controls)
  • Public sector (data sovereignty and strict access constraints)
  • Retail/e-commerce (customer PII, payment workflows)
  • SaaS companies (multi-environment hardening and internal access rules)
  • Education (research data governance)

Team types

  • Security engineering and cloud security teams
  • Platform engineering teams operating shared cloud foundations
  • SRE/DevOps teams managing production environments
  • Compliance and governance teams defining policy baselines
  • Data engineering teams protecting analytics platforms

Workloads and architectures

  • Data lakes and analytics stacks (Cloud Storage + BigQuery)
  • Event-driven architectures (Pub/Sub, Dataflow) where data boundaries matter
  • Shared services platforms hosting internal APIs
  • Multi-project landing zones with centralized governance
  • Hybrid access models (corporate network + remote workforce)

Real-world deployment contexts

  • Protecting a regulated “data project” from accidental exposure
  • Segmentation between dev/test/prod using separate perimeters
  • Controlled partner or vendor access with context rules and explicit exceptions

Production vs dev/test usage

  • Dev/test: Use dry-run mode and narrow perimeters to learn access patterns.
  • Production: Use layered controls, explicit ingress/egress policies, and change management with logging-based validation.

5. Top Use Cases and Scenarios

Below are realistic scenarios where Access Context Manager is a good fit.

1) Restrict Cloud Storage access to trusted contexts

  • Problem: Buckets with sensitive data are accessible from anywhere if credentials leak.
  • Why it fits: Access levels + VPC Service Controls can enforce additional conditions beyond IAM.
  • Example: Allow access to gs://regulated-data only from corporate IP ranges and approved workflows.

2) Reduce BigQuery data exfiltration risk

  • Problem: Analysts can export/query data from untrusted environments.
  • Why it fits: A service perimeter can restrict BigQuery API calls and control export paths.
  • Example: Keep regulated datasets inside a perimeter; allow only specific egress to approved destinations.

3) Protect managed services in a “secure analytics project”

  • Problem: Central analytics project becomes a high-value target.
  • Why it fits: Put the entire project into a service perimeter and restrict services like Storage/BigQuery/Pub/Sub.
  • Example: A “PII Analytics” project is placed in a perimeter; only a few ingress paths are allowed.

4) Implement a prod perimeter separate from non-prod

  • Problem: Dev tooling and experiments increase risk in non-prod; prod needs stricter boundaries.
  • Why it fits: Separate service perimeters for prod and nonprod, plus bridges if required.
  • Example: CI pipelines can deploy into prod through a controlled egress rule.

5) Allow a partner to access only a specific API from specific networks

  • Problem: Partner integration needs narrow access without broad exposure.
  • Why it fits: Ingress rules and access levels can allow limited entry to selected services/projects.
  • Example: Vendor can upload files to a single bucket only from a fixed IP range.

6) Control SaaS admin access with context-aware rules

  • Problem: Privileged admin access is risky if done from unmanaged endpoints.
  • Why it fits: Context-aware access (via access levels) can be applied to supported entry points.
  • Example: Require admins to come from a managed device and corporate IP (verify device-signal support in your setup).

7) Enforce “no public internet access” for sensitive APIs (logical boundary)

  • Problem: You want to ensure sensitive data APIs aren’t usable from arbitrary locations.
  • Why it fits: Perimeter + access levels can block requests that don’t satisfy required context.
  • Example: Only allow API calls that meet approved context; log and block everything else.

8) Prevent accidental data movement to consumer accounts/projects

  • Problem: Developers copy data to personal projects for debugging.
  • Why it fits: VPC Service Controls can block certain cross-boundary accesses.
  • Example: Block gsutil cp from protected buckets to non-perimeter destinations.

9) Govern access for shared internal tooling (central platform team)

  • Problem: Shared tooling needs access to many projects but must remain controlled.
  • Why it fits: Use perimeters and explicit egress rules for platform services.
  • Example: A central “Build/Deploy” project has egress rules to deploy to production perimeters.

10) Meet compliance requirements for “access from approved locations only”

  • Problem: Compliance mandates restricting access to approved networks.
  • Why it fits: Access levels can incorporate network-based context.
  • Example: Enforce access from office/VPN IP ranges for sensitive services.

11) Safer policy rollouts using dry-run logging

  • Problem: Turning on controls can break pipelines and apps unexpectedly.
  • Why it fits: Dry-run mode provides evidence before enforcement.
  • Example: Run a perimeter in dry-run for two weeks, fix violations, then enforce.

12) Centralize policy across multiple folders/business units

  • Problem: Each team implements its own inconsistent controls.
  • Why it fits: Org-level policies can standardize patterns while still allowing exceptions.
  • Example: A shared “regulated-data” baseline perimeter pattern is applied across business units.

6. Core Features

6.1 Access Policies (org-level container)

  • What it does: Provides the top-level container for access levels and service perimeters.
  • Why it matters: Establishes centralized governance across many projects.
  • Practical benefit: One place to manage security boundaries for the organization.
  • Limitations/caveats: Generally requires an Organization; project-only usage is limited.

6.2 Access Levels (basic and custom)

  • What it does: Defines conditions that a request must meet to be considered “trusted.”
  • Why it matters: Enables context-aware decisions beyond IAM.
  • Practical benefit: Reuse the same access level across multiple perimeters and integrations.
  • Limitations/caveats: The available signals depend on what Google Cloud supports and what your identity/device setup provides. Verify supported conditions in official docs.

Docs: https://cloud.google.com/access-context-manager/docs/create-access-level

6.3 Custom access levels using CEL (Common Expression Language)

  • What it does: Lets you define more flexible logic than basic lists using CEL.
  • Why it matters: Real-world conditions often require boolean logic (AND/OR/NOT).
  • Practical benefit: Fine-grained policies like “(corp IP OR managed device) AND user in group.”
  • Limitations/caveats: CEL expressions must be tested carefully; mistakes can block access.

6.4 Service Perimeters (VPC Service Controls)

  • What it does: Defines a security boundary around Google Cloud projects and supported services to reduce data exfiltration.
  • Why it matters: Limits risk even if credentials are compromised, by enforcing boundary rules at Google-managed service front-ends.
  • Practical benefit: Strong protection for data services without building custom proxies.
  • Limitations/caveats: Only supported services can be restricted; some workflows require explicit ingress/egress exceptions.

Docs: https://cloud.google.com/vpc-service-controls/docs/overview

6.5 Perimeter Bridges

  • What it does: Connects multiple service perimeters so they can communicate in a controlled way.
  • Why it matters: Enterprises often segment environments but still need specific cross-perimeter flows.
  • Practical benefit: Enables shared services patterns without collapsing segmentation.
  • Limitations/caveats: Bridges must be designed carefully to avoid creating overly permissive paths.

6.6 Ingress and Egress rules (fine-grained exceptions)

  • What it does: Allows explicit access into protected projects (ingress) and out of them (egress) under defined constraints.
  • Why it matters: Real environments need exceptions for CI/CD, monitoring, shared services, and partner integrations.
  • Practical benefit: Replace broad “allow everything” exceptions with least-privilege rules.
  • Limitations/caveats: Incorrect rules can either break workloads or weaken security. Test with dry-run.

6.7 Dry-run mode (safe testing)

  • What it does: Logs violations that would occur under enforcement, without blocking (depending on how you configure it).
  • Why it matters: Prevents outages during rollout.
  • Practical benefit: You can inventory required exceptions before turning on enforcement.
  • Limitations/caveats: Dry-run results must be analyzed; “no violations” doesn’t automatically mean “safe,” because not all workflows may have been exercised.

6.8 Central management via Console, API, and automation tooling

  • What it does: Manage policies through UI and programmatic interfaces.
  • Why it matters: Enterprise environments require versioning, review, and repeatability.
  • Practical benefit: Integrate with change management, CI/CD, and Terraform workflows.
  • Limitations/caveats: API/CLI syntax evolves; always validate against current official docs.

Docs: https://cloud.google.com/access-context-manager/docs/reference/rest

6.9 Logging and auditing of policy enforcement

  • What it does: Violations and enforcement outcomes appear in Cloud Logging (Audit Logs metadata for VPC Service Controls).
  • Why it matters: Security controls must be observable and auditable.
  • Practical benefit: Faster troubleshooting and compliance evidence.
  • Limitations/caveats: Logging volume can increase; plan retention and cost.

7. Architecture and How It Works

High-level architecture

Access Context Manager stores policy definitions. Enforcement happens in: – Google-managed service front-ends (for VPC Service Controls restricted services) – Integrated access points for context-aware access (depending on the product integration)

A typical protected request flow: 1. A user/service authenticates (IAM identity). 2. The request reaches a Google Cloud API (for example, Storage API). 3. The enforcement layer evaluates: – IAM permissions – Service perimeter boundary rules (if the target project/service is in a perimeter) – Access levels and ingress/egress policies (if configured) 4. The request is allowed or denied, and relevant audit metadata is logged.

Integrations with related services

  • VPC Service Controls: primary consumer of service perimeters.
  • Cloud Logging / Cloud Audit Logs: captures violations and relevant metadata.
  • IAM: still required—Access Context Manager doesn’t replace IAM.
  • Organization / Folders / Projects: perimeters include project resources; governance is org-level.
  • Cloud Identity / Google Workspace: may provide identity and device posture signals (verify exact requirements).

Dependency services

  • Access Context Manager API (to manage policies)
  • Target restricted services (for example, storage.googleapis.com, bigquery.googleapis.com) if you use perimeters
  • Cloud Logging for analysis and auditing

Security/authentication model

  • Administrators manage Access Context Manager via IAM roles on the Organization/access policy.
  • Users/workloads must still be authorized via IAM to access resources.
  • VPC Service Controls adds an additional gate based on perimeter and policy conditions.

Networking model (important nuance)

VPC Service Controls is not a traditional network firewall. It works at the Google API/service front-end layer: – It helps prevent data access/exfiltration through Google Cloud APIs even if access is attempted from outside a trusted boundary. – It does not directly control VM-to-VM traffic in your VPC (use VPC firewall rules for that).

Monitoring/logging/governance considerations

  • Monitor Cloud Logging for VPC Service Controls violations.
  • Use dry-run mode to baseline legitimate access patterns.
  • Apply org policy and tagging/labeling practices so teams know which projects are “inside perimeters.”

Simple architecture diagram (Mermaid)

flowchart LR
  U[User / Workload Identity] -->|Auth (IAM)| API[Google Cloud API<br/>(e.g., Cloud Storage)]
  API -->|Context + Perimeter check| ACM[Access Context Manager<br/>Access Levels + Perimeters]
  ACM -->|Allow / Deny decision| API
  API -->|Audit metadata| LOG[Cloud Logging]
  API --> R[Protected Resource<br/>(Project in Service Perimeter)]

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Org[Google Cloud Organization]
    ACM[Access Context Manager<br/>Access Policy]
    AL[Access Levels<br/>(IP / identity / custom CEL)]
    SP1[Service Perimeter: prod-data]
    SP2[Service Perimeter: nonprod]
    BR[Perimeter Bridge (optional)]
    ACM --> AL
    ACM --> SP1
    ACM --> SP2
    SP1 --- BR
    SP2 --- BR
  end

  subgraph Prod[Prod Folder / Projects]
    P1[Project: prod-analytics<br/>BigQuery + Cloud Storage]
    P2[Project: prod-app<br/>Pub/Sub + Storage]
  end

  subgraph NonProd[Non-Prod Folder / Projects]
    D1[Project: dev<br/>Test datasets]
  end

  subgraph Shared[Shared Services]
    CI[CI/CD Project]
    MON[Monitoring/Logging Project]
  end

  EXT[External users / internet] -->|API request| GAPI[Google APIs Front Ends]
  CI -->|deploy/read artifacts| GAPI
  MON -->|read logs/metrics| GAPI

  GAPI -->|Enforcement via VPC Service Controls| SP1
  SP1 --> P1
  SP1 --> P2
  SP2 --> D1

  GAPI --> LOGS[Cloud Logging<br/>Audit Logs + VPC SC metadata]

8. Prerequisites

Account/organization requirements

  • A Google Cloud Organization is strongly recommended and commonly required for real Access Context Manager usage.
  • Ability to manage organization-level policies (often requires Cloud Identity / Google Workspace-backed org).

Permissions / IAM roles

You need permissions to: – View and manage Access Context Manager policies and access levels – Create and manage VPC Service Controls service perimeters – Manage IAM on the test project (to grant yourself access to a bucket, for example)

Official IAM roles doc (verify exact role IDs and least-privilege mapping):
https://cloud.google.com/access-context-manager/docs/iam

Billing requirements

  • Access Context Manager policy configuration is typically not billed as a standalone meter, but the lab uses other services (Cloud Storage, Logging).
  • Ensure billing is enabled on your test project.

CLI/SDK/tools

  • Google Cloud Console access
  • Optional: gcloud CLI for inspection and validation
  • Optional: gsutil (usually installed with the Google Cloud SDK)

Install/verify gcloud: https://cloud.google.com/sdk/docs/install

Region availability

  • Access Context Manager is an organization-level control plane service (not region-specific in the way compute resources are).
  • Your protected resources (buckets, datasets, etc.) are regional/multi-regional based on their own configuration.

Quotas/limits

  • There are limits on numbers of access levels, perimeters, and complexity. Verify current limits in official docs because they can change:
  • https://cloud.google.com/access-context-manager/quotas (verify URL in official docs if it differs)

Prerequisite services

For the hands-on tutorial: – Cloud Storage API enabled on a test project – Access Context Manager API enabled (to manage policies programmatically; Console may still work without explicit enablement depending on your org setup, but enabling is a good practice)

9. Pricing / Cost

Current pricing model (accurate framing)

Access Context Manager is primarily a policy definition service. Google Cloud generally does not position it like a standalone consumption-billed product (for example, “$X per rule evaluated”). Instead:

  • Direct charges: Often no separate line-item usage charge for Access Context Manager configuration itself.
    Verify in official docs/pricing, because licensing and integrations can evolve.

  • Related/indirect costs come from:

  • Protected services you use (Cloud Storage, BigQuery, Pub/Sub, etc.)
  • Cloud Logging (log ingestion/retention/queries can incur cost depending on your tier and usage)
  • Network egress and inter-region transfer (depending on your workload design)
  • Identity/device management licensing if you use advanced context signals (this may involve Cloud Identity / BeyondCorp / Workspace licensing; verify based on your environment)

Official sources to check

  • Access Context Manager documentation hub (pricing notes may appear in related sections):
    https://cloud.google.com/access-context-manager/docs/overview
  • VPC Service Controls overview and docs:
    https://cloud.google.com/vpc-service-controls/docs/overview
  • Google Cloud Pricing Calculator (estimate the services you’re protecting/using):
    https://cloud.google.com/products/calculator
  • BeyondCorp Enterprise pricing (if you use BeyondCorp enterprise features around context-aware access/device signals):
    https://cloud.google.com/beyondcorp-enterprise/pricing

Pricing dimensions to consider

Even if Access Context Manager itself is not directly billed, your design affects costs through: – Log volume: more violations and audit metadata → higher logging ingestion and storage – Project segmentation: more projects can mean more operational overhead and possibly more logs – Data access patterns: restrictions can cause retries/failures that increase API calls and logs – Network design: if you redesign data flows to stay within boundaries, you might reduce egress costs

Free tier

  • Any “free tier” concept usually applies to underlying services (Cloud Storage free usage tiers in limited cases, logging allowances, etc.), not Access Context Manager itself.
  • Always validate free tier details for each dependent service in official pricing.

Cost drivers (practical)

  • Cloud Logging retention and exports (especially if exporting to BigQuery)
  • Increased troubleshooting time during rollout (engineering time is a real cost)
  • Potential need for separate projects/environments for proper segmentation

Hidden or indirect costs

  • Operational overhead: policy design, change reviews, exception management
  • Break-glass testing and incident response exercises
  • CI/CD adjustments: pipelines may need updates to run within allowed contexts
  • Partner integrations: may require managed egress solutions or re-architecture

How to optimize cost

  • Use dry-run first to avoid outages and reduce repeated trial-and-error
  • Keep perimeters as small as practical (start with the most sensitive project)
  • Reduce noisy logs by fixing systemic violations rather than accepting broad exceptions
  • Set appropriate log retention and consider log sinks strategically

Example low-cost starter estimate (conceptual)

A starter lab typically includes: – 1 test project – 1 Cloud Storage bucket with a few objects – Audit logs and VPC SC metadata logs for a limited time

Costs are dominated by: – Cloud Storage (minimal) – Cloud Logging (depends on ingestion and retention)

No exact number is provided here because logging and storage pricing can vary by region and usage. Use the calculator and check your current logging allocation.

Example production cost considerations (conceptual)

In production, plan for: – Multiple protected services (Storage, BigQuery, Pub/Sub) – Increased log volume (violations, audits, investigations) – Potential BigQuery costs if exporting logs to BigQuery – Engineering time for ongoing exceptions and policy evolution

10. Step-by-Step Hands-On Tutorial

Objective

Create a VPC Service Controls service perimeter using Access Context Manager to protect a project containing a Cloud Storage bucket, validate behavior in dry-run, then enforce the perimeter and observe access being blocked when requests do not meet the policy—followed by safe cleanup.

This lab is intentionally designed to be: – Beginner-friendly (uses Cloud Console for policy creation) – Low-cost (small Cloud Storage usage) – Safe (starts with dry-run and includes cleanup)

Lab Overview

You will: 1. Prepare a test project and bucket 2. Identify (or create) an Access Context Manager access policy 3. Create a service perimeter around the test project 4. Start in dry-run and generate a “would be denied” event 5. Enforce the perimeter and observe a real deny 6. Use Cloud Logging to verify violations 7. Clean up by removing the project from the perimeter or deleting the perimeter

Important: VPC Service Controls can block legitimate access. Do this only in a non-production project.

Step 1: Prepare your test project and Cloud Storage bucket

1.1 Select or create a project

  • In Cloud Console, select an existing test project, or create a new project such as acm-vpcsc-lab.

Expected outcome: – You have a project you can safely lock down temporarily.

1.2 Enable required APIs

In Cloud Console: – Go to APIs & Services → Enabled APIs & services – Enable: – Cloud Storage APIAccess Context Manager API (recommended)

Optional CLI:

gcloud services enable storage.googleapis.com accesscontextmanager.googleapis.com

Expected outcome: – APIs are enabled without errors.

1.3 Create a test bucket

In Cloud Console: – Go to Cloud Storage → Buckets → Create – Name it globally unique, for example: acm-vpcsc-lab-<unique-suffix> – Choose a location (any is fine for the lab) – Keep defaults unless your org policies require something else

Expected outcome: – Bucket exists.

1.4 Upload a test object

Upload a small text file.

Expected outcome: – You can see an object in the bucket.

1.5 Confirm you currently have access

From Cloud Shell (or your workstation), try listing the bucket:

gsutil ls gs://acm-vpcsc-lab-<unique-suffix>

Expected outcome: – Command succeeds and lists objects (or returns empty list if none).

If it fails with IAM permission errors: – Ensure your user has appropriate permissions (for example, Storage Object Viewer on the bucket/project).

Step 2: Identify your Organization and Access Policy

Access Context Manager policies live at the Organization level.

2.1 Find your Organization ID

In Cloud Console: – Go to IAM & Admin → Manage Resources – Note the Organization ID (for example, 123456789012)

Expected outcome: – You know your Organization ID.

2.2 Check for an existing Access Policy

In Cloud Console: – Search for Access Context Manager. – Open it and check if an Access Policy already exists.

If you prefer CLI for listing (optional; requires permissions):

gcloud access-context-manager policies list --organization=ORGANIZATION_ID

Expected outcome: – You see an access policy (many orgs have exactly one).

If you do not have an access policy: – Create one in the Access Context Manager UI (if allowed in your org). – If you can’t create it, you likely need additional organization-level permissions.

Step 3: Create a service perimeter (start with dry-run)

This is where Access Context Manager configures a VPC Service Controls perimeter around your test project.

3.1 Gather the project number

VPC Service Controls typically references projects by project number.

In Cloud Console: – Go to IAM & Admin → Settings (or project dashboard) – Copy the Project number

Optional CLI:

gcloud projects describe YOUR_PROJECT_ID --format="value(projectNumber)"

Expected outcome: – You have the project number.

3.2 Create the perimeter in Access Context Manager

In Cloud Console: 1. Go to Security → Access Context Manager 2. Select your Access Policy 3. Go to Service perimeters 4. Click Create perimeter 5. Name: acm-vpcsc-lab-perimeter 6. Perimeter type: Regular 7. Add Resources: – Add your project using the project number (the UI will guide you) 8. Add Restricted services: – Add Cloud Storage (storage.googleapis.com)

Now choose a safe rollout approach: – Configure Dry-run / Test mode if the UI provides it as a distinct option. – If the UI represents dry-run as a separate spec, enable it accordingly.

Because the exact UI wording can change, use the current official guidance for dry-run configuration: – VPC Service Controls dry-run concepts: https://cloud.google.com/vpc-service-controls/docs/dry-run

Expected outcome: – Perimeter is created successfully and includes your test project and Cloud Storage as a restricted service.

Step 4: Generate and observe dry-run violations

Dry-run is intended to show you what enforcement would block.

4.1 Attempt an access that would be restricted under enforcement

From Cloud Shell (or your workstation), try:

gsutil ls gs://acm-vpcsc-lab-<unique-suffix>

Expected outcome in dry-run: – The command should still succeed (because it’s dry-run), but a violation log entry should be generated indicating the request would be denied under enforcement.

4.2 Find VPC Service Controls violation logs

In Cloud Console: – Go to Logging → Logs Explorer – Select the project that receives relevant logs (often the same project, but audit logs can be centralized—use your org’s logging setup)

Use a query pattern for VPC SC audit metadata. One common approach is to search for the VPC Service Controls audit metadata type:

protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"

You can also narrow by service:

protoPayload.serviceName="storage.googleapis.com"
protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"

Expected outcome: – You find log entries that indicate a VPC Service Controls check and the dry-run outcome.

If you cannot find logs: – Confirm Audit Logs are enabled/retained for the project. – Confirm you’re looking in the correct logging scope (project vs aggregated sink). – Wait a few minutes; logs can be delayed slightly.

Step 5: Enforce the perimeter and confirm access is blocked

5.1 Switch from dry-run to enforced mode

In Access Context Manager: – Edit the perimeter and enable enforcement (turn on the enforced status).

Follow official guidance for enabling enforcement: – https://cloud.google.com/vpc-service-controls/docs/enable-service-perimeters

Expected outcome: – Perimeter is enforced.

5.2 Attempt bucket access again

Run:

gsutil ls gs://acm-vpcsc-lab-<unique-suffix>

Expected outcome: – The request is denied with an error indicating a VPC Service Controls violation (commonly a 403 with a message referencing VPC Service Controls).

The exact error text can vary, but you should see: – Permission denied / request prohibited by organization policy / VPC Service Controls

5.3 Confirm enforced violations in Cloud Logging

Return to Logs Explorer and re-run the query:

protoPayload.metadata.@type="type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"

Expected outcome: – New entries show enforced denials (not just dry-run).

Step 6: (Optional) Add an access level exception path (advanced concept)

In real deployments, you usually add Access Levels and/or Ingress rules so legitimate users and automation can access protected services.

Rather than providing a brittle one-size-fits-all exception here, use these official guides to design a proper exception: – Access levels: https://cloud.google.com/access-context-manager/docs/create-access-level – Ingress/egress rules: https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules

Expected outcome: – You understand that perimeters are not “set and forget”; you must explicitly allow legitimate entry/exit paths.

Validation

You have successfully completed the lab if: 1. The project is included in a service perimeter. 2. Cloud Storage is listed as a restricted service. 3. In dry-run, access attempts produce violation metadata logs. 4. In enforced mode, gsutil ls (or similar Cloud Storage API calls) are blocked and produce enforced violation logs.

Troubleshooting

Issue: “I don’t see Access Context Manager in the console” / can’t create policies

  • You may not have an Organization, or you lack organization-level permissions.
  • Confirm your org exists under IAM & Admin → Manage Resources.
  • Verify roles in: https://cloud.google.com/access-context-manager/docs/iam

Issue: “Perimeter blocks everything, including my admin access”

  • That’s expected if you didn’t create ingress rules or access levels for your admin workflows.
  • Use break-glass procedures approved by your organization.
  • For the lab: proceed to cleanup by removing the project from the perimeter (see Cleanup).

Issue: No logs appear

  • Check you are using the correct Logs Explorer scope.
  • Confirm audit logs are enabled and not excluded by sinks/exclusions.
  • Wait several minutes and retry the operation to generate new events.

Issue: Errors differ from expected examples

  • Error text varies between clients and APIs.
  • Focus on the presence of VPC Service Controls metadata in Cloud Logging and consistent 403/denied behavior under enforcement.

Cleanup

To avoid leaving your test project inaccessible:

  1. In Access Context Manager → Service perimeters, edit acm-vpcsc-lab-perimeter.
  2. Either: – Remove the test project from the perimeter resources, or – Delete the perimeter entirely (best for a lab)

Then validate:

gsutil ls gs://acm-vpcsc-lab-<unique-suffix>

Expected outcome: – Access works again (subject to IAM).

Finally: – Optionally delete the test bucket and objects to avoid ongoing storage cost. – Optionally delete the test project if it was created solely for this lab.

11. Best Practices

Architecture best practices

  • Start with a small, high-value target project (for example, a data project) before scaling to many projects.
  • Design perimeters around data domains (PII, PCI, clinical) rather than around org charts.
  • Use separate perimeters for prod vs non-prod; bridge only what you must.
  • Prefer explicit ingress/egress rules over broad exceptions.

IAM/security best practices

  • Treat Access Context Manager as a second layer—not a replacement for IAM.
  • Use least privilege for policy admins; restrict who can modify perimeters.
  • Separate duties:
  • Platform/security team manages perimeters and baseline policies
  • Application teams manage IAM within allowed boundaries (as appropriate)

Cost best practices

  • Control log volume:
  • Use dry-run for testing, but don’t leave noisy dry-run configurations indefinitely.
  • Set appropriate retention and consider log sinks carefully.
  • Avoid re-architectures that increase network egress unless required; use the pricing calculator to model tradeoffs.

Performance best practices

  • Expect some overhead in troubleshooting and rollout, not runtime latency “performance.”
  • Keep policies understandable; reduce unnecessary complexity that slows incident response.

Reliability best practices

  • Use dry-run and phased rollouts to prevent production outages.
  • Keep a documented break-glass procedure for perimeter misconfiguration.
  • Maintain tested “known-good” policy definitions in version control (IaC) where possible.

Operations best practices

  • Monitor for violations and trends:
  • sudden spikes may indicate misconfiguration or malicious attempts
  • Keep an inventory:
  • which projects are inside which perimeter
  • which services are restricted
  • which exceptions exist and why
  • Establish change management:
  • peer review for perimeter changes
  • maintenance windows for enforcement flips

Governance/tagging/naming best practices

  • Name perimeters consistently (examples: sp-prod-pii, sp-nonprod, sp-shared-services)
  • Use labels/tags at the project level to identify regulated environments
  • Document exception rationale (ticket IDs, risk acceptance)

12. Security Considerations

Identity and access model

  • IAM decides whether an identity can call an API.
  • Access Context Manager (via VPC Service Controls and access levels) decides whether the request context is acceptable.

Key point: You need both. – If IAM is too broad, Access Context Manager can reduce risk by restricting context. – If IAM is too tight, Access Context Manager won’t grant access by itself.

Encryption

  • Access Context Manager doesn’t encrypt data; underlying services handle encryption at rest and in transit.
  • Ensure you configure encryption and key management in the services you protect (for example, CMEK with Cloud KMS where required).

Network exposure

  • VPC Service Controls is not a replacement for:
  • VPC firewall rules
  • Private Service Connect
  • Cloud NAT/egress controls
  • Cloud Armor (for internet-facing HTTP(S))
  • Use it as part of a layered security posture.

Secrets handling

  • Avoid embedding credentials in scripts for perimeter testing.
  • Use short-lived credentials and standard auth (gcloud auth, Workload Identity).
  • Consider Secret Manager for application secrets.

Audit/logging

  • Use Cloud Audit Logs and Logs Explorer to investigate denied requests.
  • Consider centralizing logs in a dedicated security project with appropriate retention.
  • Treat violation logs as potential security signals (misuse or attempted exfiltration).

Compliance considerations

  • Access Context Manager can support compliance objectives by restricting access contexts and by providing audit evidence.
  • Compliance requires process and documentation—include:
  • policy intent
  • change approvals
  • exception justification
  • monitoring and incident response procedures

Common security mistakes

  • Enforcing perimeters without dry-run and without exception rules (causing outages)
  • Creating overly broad ingress/egress exceptions (“allow all”) that undermine the control
  • Not restricting who can edit perimeters
  • Forgetting to monitor logs and assuming “enabled” means “effective”

Secure deployment recommendations

  • Use dry-run → analyze violations → implement least-privilege rules → enforce
  • Keep policies in version control and deploy via CI/CD when possible
  • Use separate perimeters for distinct trust zones and data classifications
  • Regularly review exceptions and remove those no longer required

13. Limitations and Gotchas

  • Organization-centric: Many Access Context Manager capabilities require org-level setup.
  • Supported services only: VPC Service Controls applies to a defined set of Google services. Always verify the current supported services list in official docs.
  • Rollout risk: Enforcement can block admins, CI/CD pipelines, third-party tools, and even routine operations if exceptions aren’t planned.
  • Complex exception management: Ingress/egress rules require careful design and testing.
  • Logging noise: Dry-run and enforcement can increase log volume.
  • Confusing “perimeter” expectations: It’s not a network perimeter in the traditional sense; it’s API-based enforcement at Google service boundaries.
  • Cross-project workflows: Data movement patterns (exports, transfers, cross-project reads) can break unless designed for perimeters.
  • Third-party integrations: Vendor tools that call Google APIs may be blocked unless explicitly allowed.
  • Change propagation: Policy changes can take some time to propagate; test systematically.
  • Quotas/limits: Numbers of perimeters, access levels, and complexity are limited; verify current quotas.

14. Comparison with Alternatives

Access Context Manager is not a general-purpose security service; it’s specific to context and perimeter controls. Here’s how it compares.

Comparison table

Option Best For Strengths Weaknesses When to Choose
Access Context Manager (Google Cloud) Org-wide context access + VPC Service Controls perimeters Central policy, reusable access levels, strong anti-exfiltration controls for supported services Requires careful design; org-centric; supported-services scope You need conditional access and strong data boundary controls in Google Cloud
IAM + IAM Conditions (Google Cloud) Attribute-based authorization on IAM bindings Fine-grained resource-level authorization; integrates directly with IAM Doesn’t create service perimeters; not equivalent to VPC SC You need conditional authorization for specific resources without perimeter controls
Organization Policy Service (Google Cloud) Enforcing org-wide configuration constraints Great for guardrails (e.g., restrict public IPs, allowed regions) Not a context-aware request gate; doesn’t do per-request evaluation like access levels You need governance constraints across projects/folders
VPC firewall rules / Cloud Firewall policies (Google Cloud) Network-layer VM traffic control Strong L3/L4 control in VPC Doesn’t protect Google-managed service APIs from credential misuse You need network segmentation and VM traffic control
Identity-Aware Proxy (IAP) (Google Cloud) Protecting web apps and TCP services Strong identity gate for app access; integrates with Google identity Not a substitute for data service perimeter controls You need secure access to applications without VPN
AWS Verified Access / AWS IAM + SCP + VPC endpoints Conditional access and boundary controls in AWS Strong AWS-native approach; endpoint/private access patterns Different model; doesn’t map 1:1 to VPC SC Your workloads are primarily on AWS
Microsoft Entra Conditional Access + Private Link Conditional access and private connectivity in Azure Mature conditional access; strong private service access patterns Different enforcement architecture Your workloads are primarily on Azure
Self-managed proxies + OPA policies Custom enforcement for bespoke systems Highly customizable High ops burden; hard to match cloud-native service controls You need custom policy enforcement not covered by cloud-native controls

15. Real-World Example

Enterprise example: regulated analytics platform

  • Problem: A financial services company stores PII in Cloud Storage and BigQuery. They worry about credential theft and accidental data export to non-approved destinations.
  • Proposed architecture:
  • Organization with a dedicated prod-data folder
  • Access Context Manager service perimeter around analytics projects
  • Restricted services: Storage, BigQuery (and other supported services as needed)
  • Ingress rules allowing:
    • approved CI/CD project for deployments
    • specific analyst workflows from approved contexts
  • Dry-run → policy tuning → enforced rollout
  • Centralized logging and security monitoring
  • Why Access Context Manager was chosen:
  • Provides a cloud-native anti-exfiltration boundary for Google-managed services
  • Allows centralized policy governance across many projects
  • Expected outcomes:
  • Reduced data exfiltration pathways through Google APIs
  • Improved auditability of policy violations
  • Stronger separation between prod and non-prod environments

Startup/small-team example: protect a customer data bucket

  • Problem: A SaaS startup has a single sensitive bucket with customer exports. They want an extra guardrail beyond IAM to prevent misuse from arbitrary locations.
  • Proposed architecture:
  • One perimeter around the project containing the sensitive bucket
  • Restricted service: Cloud Storage
  • Dry-run to observe current access patterns
  • Minimal, explicit exceptions for build/deploy and operational access
  • Why Access Context Manager was chosen:
  • Faster and more robust than building custom proxy layers for Storage API calls
  • Policy is centralized and auditable
  • Expected outcomes:
  • Stronger default-deny posture for sensitive data access paths
  • Clear violation logging when policies would have been breached

16. FAQ

1) What does Access Context Manager actually enforce?

It defines policies (access levels and perimeters). Enforcement occurs in integrated Google Cloud control points—most notably VPC Service Controls for protected services and other supported context-aware access integrations.

2) Is Access Context Manager the same as VPC Service Controls?

No. Access Context Manager is where you configure service perimeters and access levels. VPC Service Controls is the enforcement mechanism that uses those perimeters to protect supported services.

3) Do I still need IAM if I use Access Context Manager?

Yes. IAM remains the primary authorization layer. Access Context Manager adds conditional/perimeter constraints; it does not grant permissions by itself.

4) Is Access Context Manager project-scoped?

Typically no. It is primarily organization-scoped through an access policy, and then perimeters include projects.

5) Can I use Access Context Manager without an Organization?

In most real deployments, you need an Organization. If you don’t have one, your options are limited; verify current requirements in official docs.

6) Does it protect VM-to-VM traffic in my VPC?

No. For VM network traffic, use VPC firewall rules, Cloud Firewall policies, and network segmentation patterns. VPC Service Controls focuses on Google-managed service APIs.

7) Which services can be restricted by a service perimeter?

Only specific supported services. Always check the current supported services list in official VPC Service Controls documentation because it changes over time.

8) What is dry-run mode and why is it important?

Dry-run helps you see what would be blocked before you enforce. It’s critical for avoiding outages and for discovering hidden dependencies and workflows.

9) Can I allow exceptions for CI/CD systems?

Yes. Use ingress/egress rules and/or access levels to allow required service-to-service interactions while keeping default-deny.

10) How do I troubleshoot a denied request?

Use Cloud Logging and look for VPC Service Controls audit metadata. Identify which perimeter and rule caused the deny and adjust ingress/egress/access levels accordingly.

11) Can Access Context Manager enforce MFA?

Not directly. MFA is typically enforced through identity providers and account policies. Access Context Manager focuses on context conditions and perimeters.

12) Is Access Context Manager a replacement for VPN?

No. It supports BeyondCorp-style access patterns for certain scenarios but doesn’t replace all VPN use cases. For application access, consider IAP/BeyondCorp approaches.

13) Can I apply different rules to dev vs prod?

Yes. Use separate perimeters and potentially separate access levels and exceptions.

14) Will enabling a perimeter break third-party tools?

It can. Any tool calling restricted services from outside allowed contexts can be blocked. Use dry-run to discover these dependencies.

15) What’s the safest way to roll out in production?

Dry-run → analyze logs → implement least-privilege exceptions → staged enforcement (pilot projects first) → continuous monitoring and periodic review.

16) Can I manage Access Context Manager with Terraform?

Yes, commonly. Use the official Google provider resources (verify current names and fields in provider docs). Always test changes in non-prod first.

17) What’s the difference between a regular perimeter and a bridge?

A regular perimeter defines a boundary. A bridge connects perimeters to allow controlled communication between them (use sparingly and design carefully).

17. Top Online Resources to Learn Access Context Manager

Resource Type Name Why It Is Useful
Official documentation Access Context Manager overview Best starting point for concepts, components, and workflows: https://cloud.google.com/access-context-manager/docs/overview
Official documentation Access levels documentation How to define and manage access levels: https://cloud.google.com/access-context-manager/docs/create-access-level
Official documentation VPC Service Controls overview Explains service perimeters and enforcement model: https://cloud.google.com/vpc-service-controls/docs/overview
Official documentation VPC Service Controls dry-run Safe rollout guidance and how to interpret logs: https://cloud.google.com/vpc-service-controls/docs/dry-run
Official documentation Ingress and egress rules Designing least-privilege exceptions: https://cloud.google.com/vpc-service-controls/docs/ingress-egress-rules
Reference Access Context Manager API reference Programmatic management details: https://cloud.google.com/access-context-manager/docs/reference/rest
Pricing Google Cloud Pricing Calculator Estimate underlying service and logging costs: https://cloud.google.com/products/calculator
Pricing BeyondCorp Enterprise pricing If using BeyondCorp enterprise context features: https://cloud.google.com/beyondcorp-enterprise/pricing
Official videos Google Cloud YouTube channel Search for VPC Service Controls and context-aware access explainers: https://www.youtube.com/@googlecloud
Trusted community (verify) Terraform Google provider docs IaC examples for access levels and perimeters (validate fields): https://registry.terraform.io/providers/hashicorp/google/latest/docs

18. Training and Certification Providers

Institute Suitable Audience Likely Learning Focus Mode Website URL
DevOpsSchool.com DevOps engineers, cloud engineers, platform teams Google Cloud operations, security fundamentals, DevOps practices Check website https://www.devopsschool.com/
ScmGalaxy.com Beginners to intermediate engineers DevOps/SCM foundations, cloud and automation basics Check website https://www.scmgalaxy.com/
CLoudOpsNow.in Cloud operations teams Cloud operations, monitoring, reliability practices Check website https://www.cloudopsnow.in/
SreSchool.com SREs, operations, platform engineers Site reliability engineering, incident response, production readiness Check website https://www.sreschool.com/
AiOpsSchool.com Ops and SRE teams AIOps concepts, monitoring analytics, automation Check website https://www.aiopsschool.com/

19. Top Trainers

Platform/Site Likely Specialization Suitable Audience Website URL
RajeshKumar.xyz Cloud/DevOps training content (verify offerings) Students and engineers seeking guided learning https://rajeshkumar.xyz/
devopstrainer.in DevOps training (verify course catalog) Beginners to intermediate DevOps practitioners https://www.devopstrainer.in/
devopsfreelancer.com Freelance DevOps guidance/services (treat as resource platform) Teams seeking practical DevOps help https://www.devopsfreelancer.com/
devopssupport.in DevOps support and training resources (verify scope) Engineers needing hands-on support https://www.devopssupport.in/

20. Top Consulting Companies

Company Likely Service Area Where They May Help Consulting Use Case Examples Website URL
cotocus.com Cloud/DevOps consulting (verify exact services) Architecture, implementation support, operational improvements Designing org structure, CI/CD, cloud governance foundations https://cotocus.com/
DevOpsSchool.com DevOps and cloud consulting/training (verify offerings) Platform engineering enablement, DevOps process improvements CI/CD rollout, operational readiness, security posture basics https://www.devopsschool.com/
DEVOPSCONSULTING.IN DevOps consulting (verify exact services) DevOps transformation and delivery pipelines Pipeline modernization, automation, production support models https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before Access Context Manager

  • Google Cloud resource hierarchy: Organization → Folders → Projects
  • IAM fundamentals (roles, bindings, service accounts)
  • Cloud Audit Logs and Cloud Logging basics
  • Cloud Storage and BigQuery fundamentals (if you protect data services)
  • Networking basics (VPC, private access patterns) to avoid misinterpreting what perimeters do

What to learn after Access Context Manager

  • VPC Service Controls advanced patterns:
  • ingress/egress rules design
  • bridges and shared services architectures
  • BeyondCorp/IAP for application access
  • Security Command Center and threat detection workflows
  • Policy-as-code and automation (Terraform, CI/CD for policy rollout)
  • Incident response and forensics in Google Cloud

Job roles that use it

  • Cloud Security Engineer
  • Platform Engineer (Cloud Foundations)
  • Site Reliability Engineer (in regulated environments)
  • Cloud Architect / Security Architect
  • Governance, Risk, and Compliance (GRC) engineer (technical)

Certification path (if available)

Google Cloud certifications that commonly align with this skillset (verify current names and availability in official certification catalog): – Professional Cloud Security Engineer – Professional Cloud Architect

Official Google Cloud certifications: https://cloud.google.com/learn/certification

Project ideas for practice

  • Build a “regulated data zone” with:
  • one perimeter around a data project
  • dry-run analysis
  • minimal ingress/egress exceptions for CI/CD
  • Create separate perimeters for prod/non-prod and implement a controlled bridge for shared services.
  • Set up centralized logging and create saved queries/alerts for VPC Service Controls violations.
  • Implement policy-as-code with Terraform and peer-reviewed pull requests for perimeter changes.

22. Glossary

  • Access Context Manager: Google Cloud service for defining access policies, access levels, and service perimeters used for context-aware access and VPC Service Controls.
  • Access Policy: Top-level container in Access Context Manager that holds access levels and service perimeters.
  • Access Level: A named set of conditions that define when access should be considered from a trusted context.
  • CEL (Common Expression Language): Expression language used to define custom logical conditions in policies.
  • VPC Service Controls (VPC SC): Google Cloud capability that uses service perimeters to reduce data exfiltration risk from supported Google-managed services.
  • Service Perimeter: A boundary around projects and services that restricts access based on policy.
  • Ingress Rule: An allow rule that permits requests from outside a perimeter to reach resources inside, under defined conditions.
  • Egress Rule: An allow rule that permits requests from inside a perimeter to access resources outside, under defined conditions.
  • Dry-run: Mode that records what would be blocked without enforcing (useful for safe rollout).
  • Organization (Google Cloud): Top-level resource container above folders and projects; required for many org-wide security features.
  • Cloud Audit Logs: Logs that record administrative activity and data access in Google Cloud services.
  • Data exfiltration: Unauthorized movement of data out of a trusted environment.

23. Summary

Access Context Manager is Google Cloud’s organization-level Security service for defining context-aware access and service perimeters (used by VPC Service Controls). It matters because IAM alone can’t fully express “trusted access”—especially for sensitive data services—while Access Context Manager adds conditions and boundaries that reduce data exfiltration risk.

It fits best in organizations that need centralized policy governance across many projects, especially where Cloud Storage, BigQuery, and other supported managed services host sensitive data. Cost is usually driven less by Access Context Manager itself and more by indirect factors like Cloud Logging volume and the protected services you use—so plan log retention, rollout phases, and exception design carefully.

Use Access Context Manager when you need a strong, auditable, policy-driven boundary for data services in Google Cloud, and adopt dry-run-first rollout with explicit ingress/egress rules. Next step: deepen your understanding of VPC Service Controls ingress/egress rules and practice a staged deployment pattern in a non-production environment.