Artifact Registry is the recommended service for managing container images. Container Registry is still supported but will only receive critical security fixes. Learn about transitioning to Artifact Registry.

Securing Container Registry in a service perimeter

VPC Service Controls improves your ability to mitigate the risk of unauthorized copying or transfer of data from Google-managed services.

With VPC Service Controls, you can configure security perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.

Using Container Registry with VPC Service Controls

If you are using Container Registry and Google Kubernetes Engine private clusters in a project within a service perimeter, you can access container images inside the service perimeter as well as Google-provided images.

You can access Container Registry using the IP addresses for the default Google APIs and services domains, or using these special IP addresses:

  • (
  • (

For details about these options, see Configuring Private Google Access. For an example configuration that uses (, see the documentation for registry access with a virtual IP.

For general instructions to add Container Registry to a service perimeter, see Creating a service perimeter.

Using Container Analysis with VPC Service Controls

To learn how to add Container Analysis to your perimeter, see the securing Container Analysis in a service perimeter.