Set up a service perimeter using VPC Service Controls

VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter and create a data transfer boundary. You can use VPC Service Controls with Eventarc to help protect your services.

We recommend that you protect all services when creating a service perimeter.

Limitations

In projects protected by a service perimeter, the following limitations apply:

Eventarc Advanced

  • An Eventarc Advanced bus outside of a service perimeter can't receive events from Google Cloud projects inside the perimeter. An Eventarc Advanced bus inside of a perimeter can't route events to a consumer outside of the perimeter.

    • To publish to an Eventarc Advanced bus, the source of an event must be inside the same service perimeter as the bus.
    • To consume a message, an event consumer must be inside the same service perimeter as the bus.
  • You can't create an Eventarc Advanced pipeline inside a service perimeter. You can test VPC Service Controls support for the MessageBus, GoogleApiSource, and Enrollment resources, and view platform logs on ingress; however, you can't test VPC Service Controls egress. If any of those resources are in a service perimeter, you can't set up Eventarc Advanced to deliver events end-to-end within that perimeter.

Eventarc Standard

  • Eventarc Standard is bound by the same limitations as Pub/Sub:

    • When routing events to Cloud Run destinations, you can only create new Pub/Sub push subscriptions when the push endpoints are set to Cloud Run services with default run.app URLs. Custom domains don't work.

    • When routing events to Workflows destinations for which the Pub/Sub push endpoint is set to a Workflows execution, you can only create new Pub/Sub push subscriptions through Eventarc. Note that the service account used for push authentication for the Workflows endpoint must be included in the service perimeter.

  • VPC Service Controls blocks the creation of Eventarc triggers for internal HTTP endpoints. VPC Service Controls protection does not apply when routing events to such destinations.

What's next