VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter and create a data transfer boundary. You can use VPC Service Controls with Eventarc to help protect your services.
We recommend that you protect all services when creating a service perimeter.
Limitations
In projects protected by a service perimeter, the following limitations apply:
Eventarc Advanced
An Eventarc Advanced bus outside of a service perimeter can't receive events from Google Cloud projects inside the perimeter. An Eventarc Advanced bus inside of a perimeter can't route events to a consumer outside of the perimeter.
- To publish to an Eventarc Advanced bus, the source of an event must be inside the same service perimeter as the bus.
- To consume a message, an event consumer must be inside the same service perimeter as the bus.
You can't create an Eventarc Advanced pipeline inside a service perimeter. You can test VPC Service Controls support for the
MessageBus
,GoogleApiSource
, andEnrollment
resources, and view platform logs on ingress; however, you can't test VPC Service Controls egress. If any of those resources are in a service perimeter, you can't set up Eventarc Advanced to deliver events end-to-end within that perimeter.
Eventarc Standard
Eventarc Standard is bound by the same limitations as Pub/Sub:
When routing events to Cloud Run destinations, you can only create new Pub/Sub push subscriptions when the push endpoints are set to Cloud Run services with default
run.app
URLs. Custom domains don't work.When routing events to Workflows destinations for which the Pub/Sub push endpoint is set to a Workflows execution, you can only create new Pub/Sub push subscriptions through Eventarc. Note that the service account used for push authentication for the Workflows endpoint must be included in the service perimeter.
VPC Service Controls blocks the creation of Eventarc triggers for internal HTTP endpoints. VPC Service Controls protection does not apply when routing events to such destinations.
What's next
To learn more about VPC Service Controls, see the overview and supported products and limitations.
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls.
For best practices for designing service perimeters, see Design and architect service perimeters.
To set up a service perimeter, see Create a service perimeter.