VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter and create a data transfer boundary. You can use VPC Service Controls with Eventarc to help protect your services.
We recommend that you protect all services when creating a service perimeter.
Limitations
In projects protected by a service perimeter, the following limitations apply:
Eventarc is bound by the same limitations as Pub/Sub:
When routing events to Cloud Run destinations, you can only create new Pub/Sub push subscriptions when the push endpoints are set to Cloud Run services with default
run.app
URLs: custom domains don't work.When routing events to Workflows destinations for which the Pub/Sub push endpoint is set to a Workflows execution, you can only create new Pub/Sub push subscriptions through Eventarc. Note that the service account used for push authentication for the Workflows endpoint must be included in the service perimeter.
VPC Service Controls blocks the creation of Eventarc triggers for internal HTTP endpoints. VPC Service Controls protection does not apply when routing events to such destinations.
What's next
To learn more about VPC Service Controls, see the overview and supported products and limitations.
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls.
For best practices for designing service perimeters, see Design and architect service perimeters.
To set up a service perimeter, see Create a service perimeter.