VPC Service Controls release notes

This page documents production updates to VPC Service Controls. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

You can see the latest product updates for all of Google Cloud on the Google Cloud page, browse and filter all release notes in the Google Cloud console, or programmatically access release notes in BigQuery.

To get the latest product updates delivered to you, add the URL of this page to your feed reader, or add the feed URL directly.

November 15, 2024

VPC Service Controls feature (Status: Preview): VPC Service Controls adds support for using groups of third-party identities in ingress and egress rules to allow access to resources protected by service perimeters. This feature is available in Preview.

For more information, see Configure identity groups and third-party identities in ingress and egress rules.

October 21, 2024

General availability support for the following integration:

October 18, 2024

Updated the correct support status for the following integration in the Supported products and limitations page:

October 15, 2024

Preview stage support for the following integration:

September 11, 2024

Preview stage support for the following integration:

August 20, 2024

Preview stage support for the following integration:

July 31, 2024

VPC Service Controls feature: VPC Service Controls supports using identity groups and third-party identities (only single identities) in ingress and egress rules to allow access to resources protected by service perimeters. This feature is available in Preview.

For more information, see Configure identity groups and third-party identities in ingress and egress rules. You can also learn an example of using identity groups and third-party identities in ingress and egress rules.

July 17, 2024

Preview stage support for the following integration:

July 02, 2024

VPC Service Controls feature: Support to programmatically retrieve the list of services that are supported by VPC Service Controls is generally available. Using this feature, you also can retrieve the list of methods and permissions supported by VPC Service Controls for a service.

  • The following changes are made in the output of the gcloud access-context-manager supported-services list command:
    • The field name SUPPORT_STAGE is changed into SERVICE_SUPPORT_STAGE.
    • The status BETA is changed into PREVIEW in the SERVICE_SUPPORT_STAGE field.
    • A new status DEPRECATED is added in the SERVICE_SUPPORT_STAGE field.
  • The field name supportStage is changed into serviceSupportStage in the output of the gcloud access-context-manager supported-services describe command.

June 27, 2024

VPC Service Controls feature: Support for using an internal IP address to allow access to protected resources is generally available.

For more information, see Allow access to protected resources from an internal IP address. Make sure that you read the updated Limitations section before using this feature.

May 29, 2024

Preview stage support for the following integration:

  • Kubernetes Metadata API

For more information, see Anthos On-Prem API, Google Kubernetes Engine, and GKE Multi-Cloud.

May 23, 2024

Preview stage support for the following integration:

April 29, 2024

General availability support for the following integration:

General availability support for the following integration:

April 08, 2024

General availability support for the following integration:

March 21, 2024

Preview stage support for the following integration:

March 19, 2024

Beta stage support for the following integration:

Preview stage support for the following integration:

March 14, 2024

Preview stage support for the following integration:

March 07, 2024

General availability support for the following integration:

February 27, 2024

General availability support for the following integration:

Preview stage support for the following integration:

February 21, 2024

General availability support for the following integration:

January 17, 2024

Preview stage support for the following integration:

The ability to programmatically retrieve the list of services that are supported by VPC Service Controls is available in Preview. Using this feature, you can also retrieve the list of methods and permissions supported by VPC Service Controls for a service.

December 06, 2023

November 21, 2023

Preview stage supported for the following integration:

November 20, 2023

General availability support for the following integration:

November 08, 2023

Preview stage supported for the following integration:

Preview stage supported for the following integration:

November 01, 2023

General availability support for the following integration:

September 28, 2023

Preview stage supported for the following integration:

September 13, 2023

Preview stage support for the following integration:

August 15, 2023

General availability support for the following integration:

August 14, 2023

Preview stage support for the following integration:

August 09, 2023

Preview stage support for the following integration:

General availability support for the following integration:

August 04, 2023

Preview stage support for the following integration:

July 19, 2023

Preview stage support for the following integration:

July 18, 2023

General availability support for the following integration:

July 12, 2023

The Quota page displays only the default quota limits and doesn't include any additional quotas provided by Google.

For information about VPC Service Controls quotas, see Quotas and limits.

June 22, 2023

Preview stage support for the following integration:

June 20, 2023

General availability for the following integration:

June 01, 2023

Preview stage support for the following integration:

May 08, 2023

General availability for the following integration:

April 14, 2023

VPC Service Controls support for Cloud Scheduler jobs with the following targets is now in Preview:

  • Cloud Functions
  • Cloud Run
  • Dataflow API
  • Data Pipelines

To learn more, see the documentation on how to secure cron jobs with VPC Service Controls.

April 10, 2023

Preview stage support for the following integration:

March 27, 2023

Preview stage support for the following integration:

March 23, 2023

Preview stage support for the following integration:

March 17, 2023

Preview stage support for the following integration:

March 10, 2023

Preview stage support for the following integration:

February 22, 2023

Preview stage support for the following integration:

February 17, 2023

The ability to add individual VPC networks to a perimeter is generally available (GA).

Previously, all VPC networks in a host project were added to a perimeter. You can now do the following:

  • Add individual VPC networks as members of a perimeter.
  • Create an ingress rule to authorize individual VPC networks to access a perimeter.

February 10, 2023

Preview stage support for the following integration:

January 26, 2023

Preview stage support for the following integration:

January 24, 2023

General availability for the following integration:

January 19, 2023

Preview stage support for the following integration:

January 09, 2023

Support for Cloud Tasks is now at General Availability. To learn more, see the Cloud Tasks documentation on setting up a service perimeter using VPC Service Controls.

January 04, 2023

Preview stage support for the following integration:

December 20, 2022

Preview stage support for the following integration:

December 15, 2022

Preview stage support for the following integrations:

December 12, 2022

Preview stage support for the following integration:

December 05, 2022

Preview stage support for the following integrations:

November 17, 2022

Preview stage support for the following integration:

November 07, 2022

Beta stage support for the following integration:

November 01, 2022

Beta stage support for the following integration:

October 26, 2022

General availability for the following integration:

October 11, 2022

Preview stage support for the following integration:

September 20, 2022

General availability for the following integration:

September 06, 2022

Beta stage support for the following integration:

September 05, 2022

General availability support for the following integration:

August 10, 2022

General availability for the following integration:

August 08, 2022

Beta stage support for the following integration:

August 05, 2022

Beta stage support for the following integration:

July 26, 2022

General availability for the following integration:

June 30, 2022

Support to add individual VPC networks to a perimeter is now available in Preview.

Previously, the entire VPC host project was added to a perimeter. VPC Service Controls now supports the following enhancements (Preview release):

  • You can now add individual VPC networks as members of a perimeter.
  • You can create an ingress rule to authorize individual VPC networks to access a perimeter.

June 24, 2022

General Availability for the following integration:

Security Token Service

June 08, 2022

Beta stage support for the following integration:

June 07, 2022

General availability for the following integration:

June 01, 2022

General availability for the following integrations:

May 31, 2022

General availability for the following integration:

May 17, 2022

General availability for the following integration:

May 12, 2022

General availability for the following integration:

March 31, 2022

General availability of scoped policies for VPC Service Controls.

To delegate administration of VPC Service Controls perimeters and access levels to folder-level and project-level administrators, you can use scoped policies. You can create access policies that are scoped to specific folders or projects.

March 28, 2022

General availability for the following integration:

March 24, 2022

General availability for the following integrations:

March 17, 2022

Preview stage support for the following integration:

Beta stage support for the following integration:

March 08, 2022

General availability for the following integration:

March 03, 2022

Beta stage support for the following integration:

February 16, 2022

General availability for the following integration:

February 01, 2022

General availability for the following integrations:

Preview support for the following integration:

January 28, 2022

Beta stage support for the following integration:

January 19, 2022

Preview support for the following integration:

January 12, 2022

Preview stage support for the following integrations:

January 11, 2022

Beta stage support for the following integration:

December 06, 2021

Beta stage support for the following integration:

November 23, 2021

General availability for the following integration: * Connect Gateway

Fleet-related APIs (GKE Hub, GKE Connect, Connect Gateway) are now grouped together.

November 15, 2021

General availability for the following integration:

October 28, 2021

General availability for the following integration:

October 20, 2021

General availability for the following integration:

October 18, 2021

General availability for the following integration:

September 30, 2021

Preview stage support for the following integration:

September 29, 2021

General availability for the following integration:

August 10, 2021

General availability for the following integration:

July 30, 2021

General availability for the following integration:

July 27, 2021

Support for Cloud Run is now at General Availability (GA).

July 20, 2021

Preview stage support for the following integration:

  • Network Connectivity Center

July 19, 2021

Beta stage support for the following integration:

July 09, 2021

Beta stage support for the following integration:

July 05, 2021

Beta stage support for the following integration:

July 02, 2021

General availability for the following integration:

July 01, 2021

Preview stage support for the following integration:

June 29, 2021

General availability for the following integration:

This note is incorrect; see entry for July 5, 2021

June 22, 2021

General availability for the following integration:

June 09, 2021

Integration with Document AI VPC Service Controls is now generally available.

May 24, 2021

General availability for the following integration:

May 06, 2021

General availability for the following integration:

May 05, 2021

Beta stage support for the following integration:

April 22, 2021

General Availability release of Ingress and egress rules for VPC Service Controls.

April 13, 2021

General availability for the following integration:

April 06, 2021

Preview support for the following integration:

March 24, 2021

General availability for the following integration:

March 11, 2021

Beta stage support for the following integration:

March 08, 2021

Preview for the following integration:

February 16, 2021

Preview release of Ingress and egress rules for VPC Service Controls.

January 25, 2021

Preview for the following integration:

January 20, 2021

General availability for the following integration:

January 19, 2021

Preview support for the following integration:

January 07, 2021

General availability for the following integration:

December 14, 2020

Preview support for the following integration:

December 08, 2020

November 16, 2020

General availability support for the following integration:

November 04, 2020

Preview support for the following integration:

October 29, 2020

Beta stage support for the following integration:

October 05, 2020

Beta stage support for the following integration:

September 01, 2020

Beta stage support for the following integration:

July 28, 2020

General availability for the following integration:

July 20, 2020

General availability for the following integration:

July 14, 2020

Beta stage support for the following integration:

June 30, 2020

General availability of dry run mode for service perimeters.

This release introduces dry run configurations for your service perimeters, allowing you to test changes to perimeters before enforcing the changes. For more information, read about dry run mode.

Beta release of the VPC Service Controls Troubleshooter.

The VPC Service Controls Troubleshooter allows you to use the unique identifiers generated by VPC Service Controls errors to understand and resolve common denials to services in your perimeters.

During the beta period, the following error types are supported:

  • NO_MATCHING_ACCESS_LEVEL
  • NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
  • RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER

For more information, read about the VPC Service Controls Troubleshooter.

Beta stage support for the following integrations:

June 26, 2020

Beta stage support for the following integration:

June 11, 2020

General availability for bulk changes to service perimeters.

Using Access Context Manager's Bulk API, you can replace all of your organization's service perimeters in one operation. For more information, see Making bulk changes to service perimeters.

June 04, 2020

The VPC accessible services feature is now generally available. Use VPC accessible services to limit the access of network endpoints and VMs in a perimeter to only services protected by that perimeter.

For more information about the feature, see VPC accessible services.

May 21, 2020

Beta stage support for the following integration:

May 13, 2020

Beta stage support for the following integration:

April 09, 2020

The beta version of the VPC accessible services feature is now available.

The VPC accessible services feature introduces the ability to limit the access of network endpoints inside your service perimeter to an explicit set of services.

To learn how to configure VPC accessible services for your perimeter, read about limiting access to services inside a perimeter.

The beta version of dry run mode for service perimeters is now available.

This release introduces a new method of configuring service perimeters: dry run mode. For more information, read about dry run mode.

April 03, 2020

Beta support for bulk changes to service perimeters.

Using the beta release of Access Context Manager's Bulk API, you can perform operations such as replacing all of your organization's service perimeters. For more information, see Making bulk changes to service perimeters.

April 01, 2020

Beta stage support for the following integrations:

March 31, 2020

March 24, 2020

General availability for the following integration:

March 10, 2020

February 06, 2020

Beta stage support for the following integrations:

January 31, 2020

Beta stage support for the following integrations:

December 20, 2019

Beta stage support for the following integration:

December 18, 2019

Beta stage support for the following integrations:

December 17, 2019

General availability support for:

December 16, 2019

Beta stage support for the following integrations:

December 10, 2019

Beta stage support for the following integrations:

December 02, 2019

Unique identifier for VPC Service Controls access errors.

When a request for resources in a perimeter is denied (a 403 error), a unique identifier is generated that you can use to identify the corresponding log entry using Stackdriver Logging.

For more information, see:

October 30, 2019

Beta stage support for the following integrations:

August 22, 2019

The limits for VPC Service Controls have been increased:

  • Previously, only 50 perimeters per policy were allowed. That limit has been increased to 100.
  • Previously, only 2500 projects total were allowed across all perimeters for one policy. That limit has been increased to 4000.

August 09, 2019

General availability for the following integrations:

May 24, 2019

April 01, 2019

Beta stage support for the following:

  • Cloud Dataflow

March 29, 2019

Beta stage support for the following:

  • Cloud Key Management Service
  • Cloud Spanner

March 08, 2019

General availability of VPC Service Controls.

February 28, 2019

Alpha stage support for the Google Kubernetes Engine API.

Beta stage support for Google Kubernetes Engine private clusters.

As of this release, GKE private clusters can be protected by VPC Service Controls service perimeters.

For more information, refer to the VPC Service Controls page and the documentation.

December 20, 2018

Public beta release of VPC Service Controls.

As of this release, VPC Service Controls supports the following services:

  • Cloud Bigtable
  • Cloud Storage
  • BigQuery
  • Cloud Pub/Sub
  • Cloud Dataproc
  • Stackdriver Logging

VPC Service Controls also has Alpha stage support for the following services:

  • Container Registry
  • Cloud Key Management Service
  • Cloud Spanner

App Engine is not supported by VPC Service Controls. However, you can use Access Context Manager to allow App Engine apps outside a service perimeter to access resources protected by VPC Service Controls by adding the App Engine service account to an access level for that perimeter.

For more information, read about App Engine limitations.

The BigQuery Data Transfer Service is not supported. Additionally, there are known limitations with the legacy BigQuery interface, the third-party ODBC driver for BigQuery, and BigQuery audit logs.

For more information, read about BigQuery limitations.

The Java and Python client libraries for all supported services are fully supported for access using the VPC Service Controls restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only. Client libraries updated since November 1, 2018 must be used.

Service account keys and OAuth2 client metadata used to authenticate must be updated as of November 1, 2018.

For more information, read about client library limitations.

To configure Cloud Billing exporting inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Cloud Billing limitations.

Cloud Dataproc requires additional steps to set up a functional cluster inside a service perimeter.

For more information, read about Cloud Dataproc limitations.

Cloud Functions is not supported by VPC Service Controls. However, you can use Access Context Manager to allow functions outside a service perimeter to access resources protected by VPC Service Controls by adding the Cloud Functions service account to an access level for that perimeter.

For more information, read about Cloud Functions limitations.

VPC Service Controls policy only applies to new Cloud Pub/Sub push subscriptions. Push subscriptions that exist before a service perimeter is created will not be blocked by that perimeter.

For more information, read about Cloud Pub/Sub limitations.

Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.

Legacy Cloud Storage buckets can in certain cases be written to out of a service perimeter even when access is denied.

Additionally, Cloud Storage audit logs do not always report VPC Service Controls errors correctly.

For more information, read about Cloud Storage limitations.

To create Compute Engine images from Cloud Storage inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Compute Engine limitations.

A Cloud DNS private zone or BIND must be used to map Container Registry to the restricted VIP.

The following Google-managed repositories are available to all projects regardless of service perimeters:

  • dataflow.gcr.io
  • gcr.io/cloud-airflow-releaser
  • gcr.io/cloudsql-docker
  • gcr.io/gke-node-images
  • gcr.io/kubeflow-images-public
  • gcr.io/kubernetes-helm
  • gcr.io/project-calico
  • gcr.io/stackdriver-agents
  • gke.gcr.io
  • k8s.gcr.io
  • mirror.gcr.io

For more information, read about Container Registry limitations.

To use the Google Cloud Platform Console with services protected by a service perimeter, the user accessing the services must be added to an access level for that perimeter.

Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters.

Aggregated Stackdriver Logging logs can access data protected by a service perimeter. IAM should be used to control access to that data.

For more information, read about Logging limitations.