VPC Service Controls is a Google Cloud feature that allows you to set up a service perimeter and create a data transfer boundary. You can use VPC Service Controls with Eventarc to help protect your services.
We recommend that you protect all services when creating a service perimeter.
In projects protected by a service perimeter, Eventarc is bound by the same limitations as Pub/Sub:
When routing events to Cloud Run destinations, you can only create new Pub/Sub push subscriptions when the push endpoints are set to Cloud Run services with default
run.appURLs (custom domains don't work).
When routing events to Workflows destinations for which the Pub/Sub push endpoint is set to a Workflows execution, you can only create new Pub/Sub push subscriptions through Eventarc. Note that the service account used for push authentication for the Workflows endpoint must be included in the service perimeter.
To learn more about VPC Service Controls, see the overview and supported products and limitations.
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls.
For best practices for designing service perimeters, see Design and architect service perimeters.
To set up a service perimeter, see Create a service perimeter.