本页面记录了 VPC Service Controls 的正式版更新。您可以定期查看此页面,以了解有关新增的功能、经过更新的功能、已弃用的功能、错误修复和已知问题的公告。
您可以在 Google Cloud 版本说明页面上查看 Google Cloud 所有产品的最新产品动态。
如需接收最新产品动态,请将本页面的网址添加到您的 Feed 阅读器,或直接添加 Feed 网址:
https://cloud.google.com/feeds/vpc-sc-release-notes.xml
October 21, 2024
General availability support for the following integration:
October 18, 2024
Updated the correct support status for the following integration in the Supported products and limitations page:
- Dialogflow is in Preview stage.
October 15, 2024
Preview stage support for the following integration:
September 11, 2024
Preview stage support for the following integration:
August 20, 2024
Preview stage support for the following integration:
July 31, 2024
VPC Service Controls feature: VPC Service Controls supports using identity groups and third-party identities (only single identities) in ingress and egress rules to allow access to resources protected by service perimeters. This feature is available in Preview.
For more information, see Configure identity groups and third-party identities in ingress and egress rules. You can also learn an example of using identity groups and third-party identities in ingress and egress rules.
July 17, 2024
Preview stage support for the following integration:
July 02, 2024
VPC Service Controls feature: Support to programmatically retrieve the list of services that are supported by VPC Service Controls is generally available. Using this feature, you also can retrieve the list of methods and permissions supported by VPC Service Controls for a service.
- The following changes are made in the output of the
gcloud access-context-manager supported-services list
command:- The field name
SUPPORT_STAGE
is changed intoSERVICE_SUPPORT_STAGE
. - The status
BETA
is changed intoPREVIEW
in theSERVICE_SUPPORT_STAGE
field. - A new status
DEPRECATED
is added in theSERVICE_SUPPORT_STAGE
field.
- The field name
- The field name
supportStage
is changed intoserviceSupportStage
in the output of thegcloud access-context-manager supported-services describe
command.
June 27, 2024
VPC Service Controls feature: Support for using an internal IP address to allow access to protected resources is generally available.
For more information, see Allow access to protected resources from an internal IP address. Make sure that you read the updated Limitations section before using this feature.
May 29, 2024
Preview stage support for the following integration:
- Kubernetes Metadata API
For more information, see Anthos On-Prem API, Google Kubernetes Engine, and GKE Multi-Cloud.
May 23, 2024
Preview stage support for the following integration:
April 29, 2024
General availability support for the following integration:
General availability support for the following integration:
April 08, 2024
General availability support for the following integration:
March 21, 2024
Preview stage support for the following integration:
March 19, 2024
Beta stage support for the following integration:
Preview stage support for the following integration:
March 14, 2024
Preview stage support for the following integration:
March 07, 2024
General availability support for the following integration:
February 27, 2024
General availability support for the following integration:
Preview stage support for the following integration:
February 21, 2024
General availability support for the following integration:
January 17, 2024
Preview stage support for the following integration:
The ability to programmatically retrieve the list of services that are supported by VPC Service Controls is available in Preview. Using this feature, you can also retrieve the list of methods and permissions supported by VPC Service Controls for a service.
December 06, 2023
The ability to allow access to protected resources from an internal IP address is available in Preview.
November 21, 2023
Preview stage supported for the following integration:
November 20, 2023
General availability support for the following integration:
November 08, 2023
Preview stage supported for the following integration:
Preview stage supported for the following integration:
November 01, 2023
General availability support for the following integration:
September 28, 2023
Preview stage supported for the following integration:
September 13, 2023
Preview stage support for the following integration:
August 15, 2023
General availability support for the following integration:
August 14, 2023
Preview stage support for the following integration:
August 09, 2023
Preview stage support for the following integration:
General availability support for the following integration:
August 04, 2023
Preview stage support for the following integration:
July 19, 2023
Preview stage support for the following integration:
July 18, 2023
General availability support for the following integration:
July 12, 2023
The Quota page displays only the default quota limits and doesn't include any additional quotas provided by Google.
For information about VPC Service Controls quotas, see Quotas and limits.
June 22, 2023
Preview stage support for the following integration:
June 20, 2023
General availability for the following integration:
June 01, 2023
Preview stage support for the following integration:
May 08, 2023
General availability for the following integration:
April 14, 2023
VPC Service Controls support for Cloud Scheduler jobs with the following targets is now in Preview:
- Cloud Functions
- Cloud Run
- Dataflow API
- Data Pipelines
To learn more, see the documentation on how to secure cron jobs with VPC Service Controls.
April 10, 2023
Preview stage support for the following integration:
March 27, 2023
Preview stage support for the following integration:
March 23, 2023
Preview stage support for the following integration:
March 17, 2023
Preview stage support for the following integration:
March 10, 2023
Preview stage support for the following integration:
February 22, 2023
Preview stage support for the following integration:
February 17, 2023
The ability to add individual VPC networks to a perimeter is generally available (GA).
Previously, all VPC networks in a host project were added to a perimeter. You can now do the following:
- Add individual VPC networks as members of a perimeter.
- Create an ingress rule to authorize individual VPC networks to access a perimeter.
February 10, 2023
Preview stage support for the following integration:
January 26, 2023
Preview stage support for the following integration:
January 24, 2023
General availability for the following integration:
January 19, 2023
Preview stage support for the following integration:
January 09, 2023
Support for Cloud Tasks is now at General Availability. To learn more, see the Cloud Tasks documentation on setting up a service perimeter using VPC Service Controls.
January 04, 2023
Preview stage support for the following integration:
December 20, 2022
Preview stage support for the following integration:
December 15, 2022
Preview stage support for the following integrations:
December 12, 2022
Preview stage support for the following integration:
December 05, 2022
Preview stage support for the following integrations:
November 17, 2022
Preview stage support for the following integration:
November 07, 2022
Beta stage support for the following integration:
November 01, 2022
Beta stage support for the following integration:
October 26, 2022
General availability for the following integration:
October 11, 2022
Preview stage support for the following integration:
September 20, 2022
General availability for the following integration:
September 06, 2022
Beta stage support for the following integration:
September 05, 2022
General availability support for the following integration:
August 10, 2022
General availability for the following integration:
August 08, 2022
Beta stage support for the following integration:
August 05, 2022
Beta stage support for the following integration:
July 26, 2022
General availability for the following integration:
June 30, 2022
Support to add individual VPC networks to a perimeter is now available in Preview.
Previously, the entire VPC host project was added to a perimeter. VPC Service Controls now supports the following enhancements (Preview release):
- You can now add individual VPC networks as members of a perimeter.
- You can create an ingress rule to authorize individual VPC networks to access a perimeter.
June 24, 2022
General Availability for the following integration:
June 08, 2022
Beta stage support for the following integration:
June 07, 2022
General availability for the following integration:
June 01, 2022
General availability for the following integrations:
May 31, 2022
General availability for the following integration:
May 17, 2022
General availability for the following integration:
May 12, 2022
General availability for the following integration:
March 31, 2022
General availability of scoped policies for VPC Service Controls.
To delegate administration of VPC Service Controls perimeters and access levels to folder-level and project-level administrators, you can use scoped policies. You can create access policies that are scoped to specific folders or projects.
March 28, 2022
General availability for the following integration:
March 24, 2022
General availability for the following integrations:
March 17, 2022
Preview stage support for the following integration:
Beta stage support for the following integration:
March 08, 2022
General availability for the following integration:
March 03, 2022
Beta stage support for the following integration:
February 16, 2022
General availability for the following integration:
February 01, 2022
General availability for the following integrations:
Preview support for the following integration:
January 28, 2022
Beta stage support for the following integration:
January 19, 2022
Preview support for the following integration:
- Image streaming for container images stored in Artifact Registry.
January 12, 2022
Preview stage support for the following integrations:
January 11, 2022
Beta stage support for the following integration:
December 06, 2021
Beta stage support for the following integration:
November 23, 2021
General availability for the following integration: * Connect Gateway
Fleet-related APIs (GKE Hub, GKE Connect, Connect Gateway) are now grouped together.
November 15, 2021
General availability for the following integration:
October 28, 2021
General availability for the following integration:
October 20, 2021
General availability for the following integration:
October 18, 2021
General availability for the following integration:
September 30, 2021
Preview stage support for the following integration:
September 29, 2021
General availability for the following integration:
August 10, 2021
General availability for the following integration:
July 30, 2021
General availability for the following integration:
July 27, 2021
Support for Cloud Run is now at General Availability (GA).
July 20, 2021
Preview stage support for the following integration:
- Network Connectivity Center
July 19, 2021
Beta stage support for the following integration:
July 09, 2021
Beta stage support for the following integration:
July 05, 2021
Beta stage support for the following integration:
July 02, 2021
General availability for the following integration:
July 01, 2021
Preview stage support for the following integration:
June 29, 2021
General availability for the following integration:
This note is incorrect; see entry for July 5, 2021
June 22, 2021
General availability for the following integration:
June 09, 2021
Integration with Document AI VPC Service Controls is now generally available.
May 24, 2021
General availability for the following integration:
May 06, 2021
General availability for the following integration:
May 05, 2021
Beta stage support for the following integration:
April 22, 2021
General Availability release of Ingress and egress rules for VPC Service Controls.
April 13, 2021
General availability for the following integration:
April 06, 2021
Preview support for the following integration:
March 24, 2021
General availability for the following integration:
March 11, 2021
Beta stage support for the following integration:
March 08, 2021
Preview for the following integration:
February 16, 2021
Preview release of Ingress and egress rules for VPC Service Controls.
January 25, 2021
Preview for the following integration:
January 20, 2021
General availability for the following integration:
January 19, 2021
Preview support for the following integration:
January 07, 2021
General availability for the following integration:
December 14, 2020
Preview support for the following integration:
December 08, 2020
Preview support for the following integration:
November 16, 2020
General availability support for the following integration:
November 04, 2020
Preview support for the following integration:
October 29, 2020
Beta stage support for the following integration:
October 05, 2020
Beta stage support for the following integration:
September 01, 2020
Beta stage support for the following integration:
July 28, 2020
General availability for the following integration:
July 20, 2020
General availability for the following integration:
July 14, 2020
Beta stage support for the following integration:
June 30, 2020
General availability of dry run mode for service perimeters.
This release introduces dry run configurations for your service perimeters, allowing you to test changes to perimeters before enforcing the changes. For more information, read about dry run mode.
Beta release of the VPC Service Controls Troubleshooter.
The VPC Service Controls Troubleshooter allows you to use the unique identifiers generated by VPC Service Controls errors to understand and resolve common denials to services in your perimeters.
During the beta period, the following error types are supported:
NO_MATCHING_ACCESS_LEVEL
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER
For more information, read about the VPC Service Controls Troubleshooter.
Beta stage support for the following integrations:
June 26, 2020
Beta stage support for the following integration:
June 11, 2020
General availability for bulk changes to service perimeters.
Using Access Context Manager's Bulk API, you can replace all of your organization's service perimeters in one operation. For more information, see Making bulk changes to service perimeters.
June 04, 2020
The VPC accessible services feature is now generally available. Use VPC accessible services to limit the access of network endpoints and VMs in a perimeter to only services protected by that perimeter.
For more information about the feature, see VPC accessible services.
May 21, 2020
Beta stage support for the following integration:
May 13, 2020
Beta stage support for the following integration:
April 09, 2020
The beta version of the VPC accessible services feature is now available.
The VPC accessible services feature introduces the ability to limit the access of network endpoints inside your service perimeter to an explicit set of services.
To learn how to configure VPC accessible services for your perimeter, read about limiting access to services inside a perimeter.
The beta version of dry run mode for service perimeters is now available.
This release introduces a new method of configuring service perimeters: dry run mode. For more information, read about dry run mode.
April 03, 2020
Beta support for bulk changes to service perimeters.
Using the beta release of Access Context Manager's Bulk API, you can perform operations such as replacing all of your organization's service perimeters. For more information, see Making bulk changes to service perimeters.
April 01, 2020
Beta stage support for the following integrations:
March 31, 2020
Beta stage support for the following integrations:
March 24, 2020
General availability for the following integration:
March 10, 2020
Beta stage support for:
February 06, 2020
Beta stage support for the following integrations:
January 31, 2020
Beta stage support for the following integrations:
December 20, 2019
Beta stage support for the following integration:
December 18, 2019
Beta stage support for the following integrations:
December 17, 2019
General availability support for:
December 16, 2019
Beta stage support for the following integrations:
December 10, 2019
Beta stage support for the following integrations:
December 02, 2019
Unique identifier for VPC Service Controls access errors.
When a request for resources in a perimeter is denied (a 403 error), a unique identifier is generated that you can use to identify the corresponding log entry using Stackdriver Logging.
For more information, see:
October 30, 2019
Beta stage support for the following integrations:
August 22, 2019
The limits for VPC Service Controls have been increased:
- Previously, only 50 perimeters per policy were allowed. That limit has been increased to 100.
- Previously, only 2500 projects total were allowed across all perimeters for one policy. That limit has been increased to 4000.
August 09, 2019
General availability for the following integrations:
May 24, 2019
General availability for the following integrations:
April 01, 2019
Beta stage support for the following:
- Cloud Dataflow
March 29, 2019
Beta stage support for the following:
- Cloud Key Management Service
- Cloud Spanner
March 08, 2019
General availability of VPC Service Controls.
February 28, 2019
Alpha stage support for the Google Kubernetes Engine API.
Beta stage support for Google Kubernetes Engine private clusters.
As of this release, GKE private clusters can be protected by VPC Service Controls service perimeters.
For more information, refer to the VPC Service Controls page and the documentation.
December 20, 2018
Public beta release of VPC Service Controls.
As of this release, VPC Service Controls supports the following services:
- Cloud Bigtable
- Cloud Storage
- BigQuery
- Cloud Pub/Sub
- Cloud Dataproc
- Stackdriver Logging
VPC Service Controls also has Alpha stage support for the following services:
- Container Registry
- Cloud Key Management Service
- Cloud Spanner
App Engine is not supported by VPC Service Controls. However, you can use Access Context Manager to allow App Engine apps outside a service perimeter to access resources protected by VPC Service Controls by adding the App Engine service account to an access level for that perimeter.
For more information, read about App Engine limitations.
The BigQuery Data Transfer Service is not supported. Additionally, there are known limitations with the legacy BigQuery interface, the third-party ODBC driver for BigQuery, and BigQuery audit logs.
For more information, read about BigQuery limitations.
The Java and Python client libraries for all supported services are fully supported for access using the VPC Service Controls restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only. Client libraries updated since November 1, 2018 must be used.
Service account keys and OAuth2 client metadata used to authenticate must be updated as of November 1, 2018.
For more information, read about client library limitations.
To configure Cloud Billing exporting inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.
For more information, read about Cloud Billing limitations.
Cloud Dataproc requires additional steps to set up a functional cluster inside a service perimeter.
For more information, read about Cloud Dataproc limitations.
Cloud Functions is not supported by VPC Service Controls. However, you can use Access Context Manager to allow functions outside a service perimeter to access resources protected by VPC Service Controls by adding the Cloud Functions service account to an access level for that perimeter.
For more information, read about Cloud Functions limitations.
VPC Service Controls policy only applies to new Cloud Pub/Sub push subscriptions. Push subscriptions that exist before a service perimeter is created will not be blocked by that perimeter.
For more information, read about Cloud Pub/Sub limitations.
Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.
Legacy Cloud Storage buckets can in certain cases be written to out of a service perimeter even when access is denied.
Additionally, Cloud Storage audit logs do not always report VPC Service Controls errors correctly.
For more information, read about Cloud Storage limitations.
To create Compute Engine images from Cloud Storage inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.
For more information, read about Compute Engine limitations.
A Cloud DNS private zone or BIND must be used to map Container Registry to the restricted VIP.
The following Google-managed repositories are available to all projects regardless of service perimeters:
- dataflow.gcr.io
- gcr.io/cloud-airflow-releaser
- gcr.io/cloudsql-docker
- gcr.io/gke-node-images
- gcr.io/kubeflow-images-public
- gcr.io/kubernetes-helm
- gcr.io/project-calico
- gcr.io/stackdriver-agents
- gke.gcr.io
- k8s.gcr.io
- mirror.gcr.io
For more information, read about Container Registry limitations.
To use the Google Cloud Platform Console with services protected by a service perimeter, the user accessing the services must be added to an access level for that perimeter.
Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters.
Aggregated Stackdriver Logging logs can access data protected by a service perimeter. IAM should be used to control access to that data.
For more information, read about Logging limitations.