如要判斷錯誤是否與 VPC Service Controls 有關,請檢查您是否已啟用 VPC Service Controls,並且已將其套用至您嘗試使用的專案與服務。如要確認專案和服務是否受到 VPC Service Controls 保護,請檢查該資源階層層級的 VPC Service Controls 政策。
假設您間接使用某項服務,而該服務在服務範圍內的專案中,遭到 VPC Service Controls 標記為「受限制的服務」。在這種情況下,VPC Service Controls 可能會拒絕存取要求。
服務通常會透過依附元件傳播錯誤訊息。如果您遇到以下其中一項錯誤,表示 VPC Service Controls 發生問題:
Cloud Storage:403: Request violates VPC Service Controls.
BigQuery:403: VPC Service Controls: Request is prohibited by
organization's policy.
其他服務:403: Request is prohibited by organization's policy.
使用錯誤的專屬 ID
與 Google Cloud 控制台不同,gcloud 指令列工具會傳回 VPC Service Controls 錯誤的專屬 ID。如要找出其他錯誤的記錄項目,請使用中繼資料篩選記錄。
VPC Service Controls 產生的錯誤會包含專屬 ID,用於識別相關稽核記錄。
如要使用唯一 ID 取得錯誤相關資訊,請按照下列步驟操作:
在 Google Cloud 控制台中,前往「Cloud Logging」頁面,以取得觸發錯誤的服務範圍內專案。
gcloudloggingread\'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" AND timestamp>="2019-03-22T23:59:59Z" AND timestamp<="2019-03-26T00:00:00Z"'
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[],[],null,["# Retrieve VPC Service Controls errors from audit logs\n\nThis page describes how you can find VPC Service Controls errors using\nCloud Logging.\n\nVPC Service Controls helps mitigate data exfiltration risks by isolating\nmulti-tenant Google Cloud services. For more information, see [Overview of\nVPC Service Controls](/vpc-service-controls/docs/overview).\n\nDetermine if an error is due to VPC Service Controls\n----------------------------------------------------\n\nVPC Service Controls can modify the properties of Google Cloud and\nhave cascading effects across services. This can make it difficult to debug\nissues, especially if you don't know what to look for.\n\nThe [service perimeter](/vpc-service-controls/docs/service-perimeters) changes can take up to 30 minutes to\npropagate and take effect. When the changes have propagated, access to the\nservices restricted in the perimeter isn't allowed to cross the perimeter\nboundary unless explicitly authorized.\n\nTo determine if an error is related to VPC Service Controls, check whether\nyou have enabled VPC Service Controls and applied it to the projects and\nservices you are attempting to use. To verify whether the projects and services\nare protected by VPC Service Controls, check the VPC Service Controls\npolicy at that level of resource hierarchy.\n\nConsider an example scenario in which you indirectly use a service that is\nmarked as a *restricted service* by VPC Service Controls in a project that\nis inside a service perimeter. In such a case, VPC Service Controls might be\ndenying access.\n\nUsually, services propagate error messages from their dependencies. If you\nencounter one of the following errors, it indicates a problem with\nVPC Service Controls.\n\n- **Cloud Storage:** `403: Request violates VPC Service Controls.`\n\n- **BigQuery:** `403: VPC Service Controls: Request is prohibited by\n organization's policy.`\n\n- **Other services:** `403: Request is prohibited by organization's policy.`\n\nUse the error's unique ID\n-------------------------\n\nUnlike the Google Cloud console, the `gcloud` command-line tool returns a unique ID for\nVPC Service Controls errors. To locate log entries for other errors, [filter the\nlogs using metadata](#metadata-filter).\n\nAn error generated by VPC Service Controls includes a unique ID that is used to\nidentify relevant audit logs.\n\nTo obtain information about an error using the unique ID, do the following:\n\n1. In the Google Cloud console, go to the **Cloud Logging** page for the\n project inside the service perimeter that triggered the error.\n\n [Go to Cloud Logging](https://console.cloud.google.com/logs/query)\n2. In the search-filter field, enter the error's unique ID.\n\nYou can see the relevant log entry.\n\nFilter logs using metadata\n--------------------------\n\nYou can use the [Logs Explorer](/logging/docs/view/logs-explorer-interface) to find errors related to\nVPC Service Controls. You can use the [Logging query language](/logging/docs/view/logging-query-language)\nto retrieve the logs. For information about building queries, see [Building\nqueries by using the Logging query language](/logging/docs/view/building-queries). \n\n### Console\n\nTo obtain the last 24 hours of VPC Service Controls errors in\nLogging, do the following:\n\n1. In the Google Cloud console, go to the **Cloud Logging** page.\n\n [Go to Cloud Logging](https://console.cloud.google.com/logs/query)\n2. Make sure that you are in the project that is inside the service\n perimeter.\n\n3. In the search-filter field, enter the following:\n\n protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"\n\n4. In the **Resource** menu, select **Audited Resource**.\n\n5. In the time-range selector menu, select **Last 24 hours**.\n\n6. Optional: To find the VPC Service Controls errors that\n have occurred during a different period, use the **time-range\n selector** menu.\n\n### gcloud\n\n- To obtain the last 24 hours of VPC Service Controls errors, run the\n following command:\n\n gcloud logging read 'protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"'\n\n By default, the `read` command is limited to the last 24 hours. To obtain\n VPC Service Controls logs for a different period, use one of the\n following commands:\n- To retrieve logs that were generated within a certain period from the\n current date, run the following command:\n\n gcloud logging read \\\n 'protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"' \\\n --freshness=\u003cvar translate=\"no\"\u003eDURATION\u003c/var\u003e\n\n \u003cvar translate=\"no\"\u003eDURATION\u003c/var\u003e is a formatted period of time. For more information\n about formatting, see [relative duration and time formats](/sdk/gcloud/reference/topic/datetimes#Relative-duration-date)\n for gcloud CLI.\n- To retrieve all VPC Service Controls errors that have occurred in the\n past week, run the following command:\n\n gcloud logging read \\\n 'protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\"' \\\n --freshness=7d\n\n- To retrieve logs that were generated between specific dates, run the\n following command:\n\n gcloud logging read \\\n 'protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\" AND\n timestamp\u003e=\"\u003cvar translate=\"no\"\u003eSTART_DATETIME\u003c/var\u003e\" AND\n timestamp\u003c=\"\u003cvar translate=\"no\"\u003eEND_DATETIME\u003c/var\u003e\"'\n\n \u003cvar translate=\"no\"\u003eSTART_DATETIME\u003c/var\u003e and \u003cvar translate=\"no\"\u003eEND_DATETIME\u003c/var\u003e are formatted\n date and time strings. For more information about formatting, see\n [absolute date and time formats](/sdk/gcloud/reference/topic/datetimes#Absolute-date)\n for gcloud CLI.\n\n For example, to obtain all VPC Service Controls errors that have occurred\n between March 22, 2019 and March 26, 2019: \n\n gcloud logging read \\\n 'protoPayload.metadata.@type:\"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata\" AND\n timestamp\u003e=\"2019-03-22T23:59:59Z\" AND\n timestamp\u003c=\"2019-03-26T00:00:00Z\"'\n\nWhat's next\n-----------\n\n- [Diagnose issues by using the VPC Service Controls troubleshooter](/vpc-service-controls/docs/troubleshooter)\n- [Diagnose an access denial event using the VPC Service Controls violation analyzer](/vpc-service-controls/docs/violation-analyzer) ([Preview](/products#product-launch-stages))\n- [Troubleshoot common VPC Service Controls issues](/vpc-service-controls/docs/troubleshooting)\n- [Troubleshoot common issues related to other Google Cloud services](/vpc-service-controls/docs/troubleshoot-services-within-perimeter)"]]
