VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter and create a data transfer boundary around Google Cloud resources. VPC Service Controls provides more security for your App Hub resources such as mitigating the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that protect applications, services, and workloads from requests that cross the perimeter.
App Hub resources are exposed on the
apphub.googleapis.com API, which lets you perform
operations, such as creation and deletion of applications, services, and
workloads. You can set up VPC Service Controls with App Hub
by restricting connectivity to this API surface.
We recommend that you protect all App Hub resources when creating a service perimeter.
Limitations
You must set up VPC Service Controls on the App Hub host and service projects before you create an application and register services and workloads to the application. App Hub supports the following resource types:
- Application
- Discovered service
- Discovered workload
- Service
- Service project attachment
- Workload
What's next
To learn more about VPC Service Controls, see the overview and supported products and limitations.
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls.
For best practices for designing service perimeters, see Design and architect service perimeters.
To set up a service perimeter, see Create a service perimeter.