VPC Service Controls 是一項 Google Cloud 功能,可讓您設定服務範圍,在Google Cloud 資源周圍建立資料傳輸邊界。VPC Service Controls 可為您的 App Hub 資源提供更多安全防護,例如降低資料遭竊取的風險。您可以透過 VPC Service Controls 將專案加入服務範圍內,如此一來,源自服務範圍外的要求就無法存取相關應用程式、服務和工作負載。
App Hub 資源會顯示在 apphub.googleapis.com API 上,方便您執行建立及刪除應用程式、服務和工作負載等作業。您可以透過限制與這個 API 介面的連線,使用 App Hub 設定 VPC Service Controls。
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-03 (世界標準時間)。"],[[["\u003cp\u003eVPC Service Controls enhances security for Google Cloud resources by establishing a service perimeter and a data transfer boundary, reducing the risk of data exfiltration.\u003c/p\u003e\n"],["\u003cp\u003eApp Hub resources, accessible through the \u003ccode\u003eapphub.googleapis.com\u003c/code\u003e API, can be secured using VPC Service Controls by limiting connectivity to this API.\u003c/p\u003e\n"],["\u003cp\u003eProtecting all App Hub resources within a service perimeter is a recommended practice.\u003c/p\u003e\n"],["\u003cp\u003eVPC Service Controls must be configured on the App Hub host and service projects prior to creating applications and registering services/workloads.\u003c/p\u003e\n"],["\u003cp\u003eApp Hub allows different resource types such as Applications, Discovered Services, Discovered Workloads, Services, Service Project Attachments and Workloads.\u003c/p\u003e\n"]]],[],null,["# Using VPC Service Controls with App Hub\n\nVPC Service Controls is a Google Cloud feature that lets you set up a\n[service perimeter](/vpc-service-controls/docs/service-perimeters) that creates a data transfer boundary around\nGoogle Cloud resources. VPC Service Controls provides more security for\nyour App Hub resources such as mitigating the risk of data\nexfiltration. Using VPC Service Controls, you can add projects to service\nperimeters that protect applications, services, and workloads from requests that\ncross the perimeter.\n\nApp Hub resources are exposed on the\n`apphub.googleapis.com` API, which lets you perform\noperations, such as creation and deletion of applications, services, and\nworkloads. You can set up VPC Service Controls with App Hub\nby restricting connectivity to this API surface.\n\nWe recommend that you protect all App Hub resources when creating a\nservice perimeter.\n\nApp Hub supports the following resource types:\n\n- Application\n- Discovered service\n- Discovered workload\n- Service\n- Service project attachment (only for applications managed by a host project)\n- Workload\n\nApplications in an app-enabled folder\n-------------------------------------\n\nWhen you [enable application management](/resource-manager/docs/manage-applications) on a folder, the\nfollowing actions occur:\n\n1. Google creates a Google-managed project in the folder called a *management project*.\n2. The system enables the required APIs for application management on that project. Some APIs that the system enables are directly related to application management. The remaining APIs are dependencies.\n\nIf you want to include the management project in a service perimeter, include\nthe enabled APIs that support VPC Service Controls. For more information,\nsee [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n### APIs enabled on a management project\n\nThe following tables list APIs that are automatically enabled for a management\nproject. If a product supports VPC Service Controls, review the linked\ndocumentation for more information, such as limitations or additional\nconfiguration requirements.\n\n**APIs involved in designing, building, and deploying applications**\n\nAPIs in this table include App Hub, Application Design Center,\nand dependencies used to build applications, deploy applications, and store\napplication data.\n\nResource Manager is required for enabling and managing app-enabled folders.\n\n**Google Cloud Observability APIs**\n\n**Google Cloud Observability dependencies**\n\nSome Logging and Cloud Monitoring features require other\nproduct APIs.\n\nThe Dataform API and Dataplex API are BigQuery\ndependencies.\n\n**APIs that provide resource data about resources**\n\n**Gemini Cloud Assist**\n\nApplications managed by a host project\n--------------------------------------\n\nYou must set up VPC Service Controls on the App Hub host and\nservice projects before you create an application and register services and\nworkloads to the application. For more information, see\n[Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\nWhat's next\n-----------\n\n- To learn more about VPC Service Controls, see the\n [overview](/vpc-service-controls/docs/overview) and\n [supported products and limitations](/vpc-service-controls/docs/supported-products).\n\n- For best practices for enabling VPC Service Controls, see\n [Best practices for enabling VPC Service Controls](/vpc-service-controls/docs/enable).\n\n- For best practices for designing service perimeters, see\n [Design and architect service perimeters](/vpc-service-controls/docs/architect-perimeters).\n\n- To set up a service perimeter, see\n [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters)."]]
