Notas de la versión

En esta página, se documentan las actualizaciones de producción de los Controles del servicio de VPC. Puedes revisar esta página de forma periódica para ver anuncios sobre características nuevas o actualizadas, correcciones de errores, problemas conocidos y funciones obsoletas.

Puedes ver las últimas actualizaciones de productos de todo Google Cloud en la página Notas de la versión de Google Cloud.

Para recibir las últimas actualizaciones de productos, agrega la URL de esta página a tu lector de feeds, o agrega directamente la URL del feed: https://cloud.google.com/feeds/vpc-sc-release-notes.xml

October 05, 2020

Beta stage support for the following integration:

September 01, 2020

Beta stage support for the following integration:

July 28, 2020

General availability for the following integration:

July 20, 2020

General availability for the following integration:

July 14, 2020

Beta stage support for the following integration:

June 30, 2020

General availability of dry run mode for service perimeters.

This release introduces dry run configurations for your service perimeters, allowing you to test changes to perimeters before enforcing the changes. For more information, read about dry run mode.

Beta release of the VPC Service Controls Troubleshooter.

The VPC Service Controls Troubleshooter allows you to use the unique identifiers generated by VPC Service Controls errors to understand and resolve common denials to services in your perimeters.

During the beta period, the following error types are supported:

  • NO_MATCHING_ACCESS_LEVEL
  • NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
  • RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER

For more information, read about the VPC Service Controls Troubleshooter.

Beta stage support for the following integrations:

June 26, 2020

Beta stage support for the following integration:

June 11, 2020

General availability for bulk changes to service perimeters.

Using Access Context Manager's Bulk API, you can replace all of your organization's service perimeters in one operation. For more information, see Making bulk changes to service perimeters.

June 04, 2020

The VPC accessible services feature is now generally available. Use VPC accessible services to limit the access of network endpoints and VMs in a perimeter to only services protected by that perimeter.

For more information about the feature, see VPC accessible services.

May 21, 2020

Beta stage support for the following integration:

May 13, 2020

Beta stage support for the following integration:

April 09, 2020

The beta version of the VPC accessible services feature is now available.

The VPC accessible services feature introduces the ability to limit the access of network endpoints inside your service perimeter to an explicit set of services.

To learn how to configure VPC accessible services for your perimeter, read about limiting access to services inside a perimeter.

The beta version of dry run mode for service perimeters is now available.

This release introduces a new method of configuring service perimeters: dry run mode. For more information, read about dry run mode.

April 03, 2020

Beta support for bulk changes to service perimeters.

Using the beta release of Access Context Manager's Bulk API, you can perform operations such as replacing all of your organization's service perimeters. For more information, see Making bulk changes to service perimeters.

April 01, 2020

Beta stage support for the following integrations:

March 31, 2020

March 24, 2020

General availability for the following integration:

March 10, 2020

February 06, 2020

Beta stage support for the following integrations:

January 31, 2020

Beta stage support for the following integrations:

December 20, 2019

Beta stage support for the following integration:

December 18, 2019

Beta stage support for the following integrations:

December 17, 2019

General availability support for:

December 16, 2019

Beta stage support for the following integrations:

December 10, 2019

Beta stage support for the following integrations:

December 02, 2019

Unique identifier for VPC Service Controls access errors.

When a request for resources in a perimeter is denied (a 403 error), a unique identifier is generated that you can use to identify the corresponding log entry using Stackdriver Logging.

For more information, see:

October 30, 2019

Beta stage support for the following integrations:

August 22, 2019

The limits for VPC Service Controls have been increased:

  • Previously, only 50 perimeters per policy were allowed. That limit has been increased to 100.
  • Previously, only 2500 projects total were allowed across all perimeters for one policy. That limit has been increased to 4000.

August 09, 2019

General availability for the following integrations:

May 24, 2019

April 01, 2019

Beta stage support for the following:

  • Cloud Dataflow

March 29, 2019

Beta stage support for the following:

  • Cloud Key Management Service
  • Cloud Spanner

March 08, 2019

General availability of VPC Service Controls.

February 28, 2019

Alpha stage support for the Google Kubernetes Engine API.

Beta stage support for Google Kubernetes Engine private clusters.

As of this release, GKE private clusters can be protected by VPC Service Controls service perimeters.

For more information, refer to the VPC Service Controls page and the documentation.

December 20, 2018

Public beta release of VPC Service Controls.

As of this release, VPC Service Controls supports the following services:

  • Cloud Bigtable
  • Cloud Storage
  • BigQuery
  • Cloud Pub/Sub
  • Cloud Dataproc
  • Stackdriver Logging

VPC Service Controls also has Alpha stage support for the following services:

  • Container Registry
  • Cloud Key Management Service
  • Cloud Spanner

App Engine is not supported by VPC Service Controls. However, you can use Access Context Manager to allow App Engine apps outside a service perimeter to access resources protected by VPC Service Controls by adding the App Engine service account to an access level for that perimeter.

For more information, read about App Engine limitations.

The BigQuery Data Transfer Service is not supported. Additionally, there are known limitations with the legacy BigQuery interface, the third-party ODBC driver for BigQuery, and BigQuery audit logs.

For more information, read about BigQuery limitations.

The Java and Python client libraries for all supported services are fully supported for access using the VPC Service Controls restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only. Client libraries updated since November 1, 2018 must be used.

Service account keys and OAuth2 client metadata used to authenticate must be updated as of November 1, 2018.

For more information, read about client library limitations.

To configure Cloud Billing exporting inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Cloud Billing limitations.

Cloud Dataproc requires additional steps to set up a functional cluster inside a service perimeter.

For more information, read about Cloud Dataproc limitations.

Cloud Functions is not supported by VPC Service Controls. However, you can use Access Context Manager to allow functions outside a service perimeter to access resources protected by VPC Service Controls by adding the Cloud Functions service account to an access level for that perimeter.

For more information, read about Cloud Functions limitations.

VPC Service Controls policy only applies to new Cloud Pub/Sub push subscriptions. Push subscriptions that exist before a service perimeter is created will not be blocked by that perimeter.

For more information, read about Cloud Pub/Sub limitations.

Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.

Legacy Cloud Storage buckets can in certain cases be written to out of a service perimeter even when access is denied.

Additionally, Cloud Storage audit logs do not always report VPC Service Controls errors correctly.

For more information, read about Cloud Storage limitations.

To create Compute Engine images from Cloud Storage inside a service perimeter, the user performing the configuration must be added to an access level for that perimeter.

For more information, read about Compute Engine limitations.

A Cloud DNS private zone or BIND must be used to map Container Registry to the restricted VIP.

The following Google-managed repositories are available to all projects regardless of service perimeters:

  • dataflow.gcr.io
  • gcr.io/cloud-airflow-releaser
  • gcr.io/cloudsql-docker
  • gcr.io/gke-node-images
  • gcr.io/kubeflow-images-public
  • gcr.io/kubernetes-helm
  • gcr.io/project-calico
  • gcr.io/stackdriver-agents
  • gke.gcr.io
  • k8s.gcr.io
  • mirror.gcr.io

For more information, read about Container Registry limitations.

To use the Google Cloud Platform Console with services protected by a service perimeter, the user accessing the services must be added to an access level for that perimeter.

Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters.

Aggregated Stackdriver Logging logs can access data protected by a service perimeter. IAM should be used to control access to that data.

For more information, read about Logging limitations.