Release Notes

This page documents production updates to VPC Service Controls. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.

To get the latest product updates delivered to you, add the URL of this page to your feed reader.

August 22, 2019

The limits for VPC Service Controls have been increased:

  • Previously, only 2000 projects per perimeter were allowed. That limit has been increased to 4000.
  • Previously, only 50 perimeters per policy were allowed. That limit has been increased to 100.
  • Previously, only 2500 projects total were allowed across all perimeters for one policy. That limit has been increased to 4000.

August 9, 2019

General availability for the following integrations:

May 24, 2019

April 1, 2019

Beta stage support for the following:

  • Cloud Dataflow

March 29, 2019

Beta stage support for the following:

  • Cloud Key Management Service
  • Cloud Spanner

March 8, 2019

General availability of VPC Service Controls.

February 28, 2019

Alpha stage support for the Google Kubernetes Engine API.

Beta stage support for Google Kubernetes Engine private clusters.

As of this release, GKE private clusters can be protected by VPC Service Controls service perimeters.

For more information, refer to the VPC Service Controls page and the documentation.

December 20, 2018

Public beta release of VPC Service Controls.

As of this release, VPC Service Controls supports the following services:

  • Cloud Bigtable
  • Cloud Storage
  • BigQuery
  • Cloud Pub/Sub
  • Cloud Dataproc
  • Stackdriver Logging

VPC Service Controls also has Alpha stage support for the following services:

Note: We recommend you protect these services for testing purposes only.

  • Container Registry
  • Cloud Key Management Service
  • Cloud Spanner

For more information, refer to the VPC Service Controls page and the documentation.

App Engine is not supported by VPC Service Controls. However, you can use Access Context Manager to allow App Engine apps outside a service perimeter to access resources protected by VPC Service Controls by adding the App Engine service account to an access level for that perimeter.

For more information, read about App Engine limitations.

The BigQuery Data Transfer Service is not supported. Additionally, there are known limitations with the legacy BigQuery interface, the third-party ODBC driver for BigQuery, and BigQuery audit logs.

For more information, read about BigQuery limitations.

The Java and Python client libraries for all supported services are fully supported for access using the VPC Service Controls restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only. Client libraries updated since November 1, 2018 must be used.

Service account keys and OAuth2 client metadata used to authenticate must be updated as of November 1, 2018.

For more information, read about client library limitations.

To configure Cloud Billing exporting inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Cloud Billing limitations.

Cloud Dataproc requires additional steps to set up a functional cluster inside a service perimeter.

For more information, read about Cloud Dataproc limitations.

Cloud Functions is not supported by VPC Service Controls. However, you can use Access Context Manager to allow functions outside a service perimeter to access resources protected by VPC Service Controls by adding the Cloud Functions service account to an access level for that perimeter.

For more information, read about Cloud Functions limitations.

VPC Service Controls policy only applies to new Cloud Pub/Sub push subscriptions. Push subscriptions that exist before a service perimeter is created will not be blocked by that perimeter.

For more information, read about Cloud Pub/Sub limitations.

Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.

Legacy Cloud Storage buckets can in certain cases be written to out of a service perimeter even when access is denied.

Additionally, Cloud Storage audit logs do not always report VPC Service Controls errors correctly.

For more information, read about Cloud Storage limitations.

To create Compute Engine images from Cloud Storage inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Compute Engine limitations.

A Cloud DNS private zone or BIND must be used to map Container Registry to the restricted VIP.

The following Google-managed repositories are available to all projects regardless of service perimeters:

  • dataflow.gcr.io
  • gcr.io/cloud-airflow-releaser
  • gcr.io/cloudsql-docker
  • gcr.io/gke-node-images
  • gcr.io/kubeflow-images-public
  • gcr.io/kubernetes-helm
  • gcr.io/project-calico
  • gcr.io/stackdriver-agents
  • gke.gcr.io
  • k8s.gcr.io
  • mirror.gcr.io

For more information, read about Container Registry limitations.

To use the Google Cloud Platform Console with services protected by a service perimeter, the user accessing the services must be added to an access level for that perimeter.

Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters.

Aggregated Stackdriver Logging logs can access data protected by a service perimeter. Cloud IAM should be used to control access to that data.

For more information, read about Logging limitations.

Send feedback about...

VPC Service Controls