Supported products and limitations

This page contains a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.

Supported products

VPC Service Controls supports the following products:

Supported products Description

AI Platform Prediction

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address ml.googleapis.com
Details

VPC Service Controls supports online prediction, but not batch prediction.

For more information about AI Platform Prediction, refer to the product documentation.

Limitations
  • To fully protect AI Platform Prediction, add all of the following APIs to the service perimeter:

    • AI Platform Training and Prediction API (ml.googleapis.com)
    • Pub/Sub API (pubsub.googleapis.com)
    • Cloud Storage API (storage.googleapis.com)
    • Google Kubernetes Engine API (container.googleapis.com)
    • Container Registry API (containerregistry.googleapis.com)
    • Cloud Logging API (logging.googleapis.com)

    Read more about setting up VPC Service Controls for AI Platform Prediction.

  • Batch prediction is not supported when you use AI Platform Prediction inside a service perimeter.

  • AI Platform Prediction and AI Platform Training both use the AI Platform Training and Prediction API, so you must configure VPC Service Controls for both products. Read more about setting up VPC Service Controls for AI Platform Training.

AI Platform Training

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address ml.googleapis.com
Details

The API for AI Platform Training can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about AI Platform Training, refer to the product documentation.

Limitations
  • To fully protect your AI Platform Training training jobs, add all of the following APIs to the service perimeter:

    • AI Platform Training and Prediction API (ml.googleapis.com)
    • Pub/Sub API (pubsub.googleapis.com)
    • Cloud Storage API (storage.googleapis.com)
    • Google Kubernetes Engine API (container.googleapis.com)
    • Container Registry API (containerregistry.googleapis.com)
    • Cloud Logging API (logging.googleapis.com)

    Read more about setting up VPC Service Controls for AI Platform Training.

  • Training with TPUs is not supported when you use AI Platform Training inside a service perimeter.

  • AI Platform Training and AI Platform Prediction both use the AI Platform Training and Prediction API, so you must configure VPC Service Controls for both products. Read more about setting up VPC Service Controls for AI Platform Prediction.

AI Platform Notebooks

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address notebooks.googleapis.com
Details

The API for AI Platform Notebooks can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about AI Platform Notebooks, refer to the product documentation.

Limitations
  • To use AI Platform Notebooks within a VPC Service Controls service perimeter, you must add or configure several DNS entries to point the following domains to the restricted VIP:

    • *.notebooks.googleapis.com
    • *.datalab.cloud.google.com
    • *.notebooks.cloud.google.com
    • *.notebooks.googleusercontent.com

Apigee and Apigee hybrid

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address apigee.googleapis.com,
apigeeconnect.googleapis.com
Details

The API for Apigee and Apigee hybrid can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Apigee and Apigee hybrid, refer to the product documentation.

Limitations

Apigee integrations with VPC Service Controls have the following limitations:

  • You must use Drupal if you use portals. You cannot use integrated portals.
  • You must deploy Drupal portals within the service perimeter.

Anthos Service Mesh

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address meshca.googleapis.com
Details

The API for Anthos Service Mesh can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Anthos Service Mesh, refer to the product documentation.

Limitations

  • Service perimeters can only protect the Cloud Service Mesh Certificate Authority API. You can add a service perimeter to protect your Identity Namespace.

Artifact Registry

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address artifactregistry.googleapis.com
Details

In addition to protecting the Artifact Registry API, Artifact Registry can be used inside service perimeters with GKE and Compute Engine.

For more information about Artifact Registry, refer to the product documentation.

Limitations
  • Because it is not using the googleapis.com domain, Artifact Registry must be configured via Private DNS or BIND to map to the restricted VIP separately from other APIs. For more information, see Securing repositories in a service perimeter.
  • In addition to the artifacts inside a perimeter that are available to Artifact Registry, the following read-only Google-managed Container Registry repositories are available to all projects regardless of service perimeters:

    • gcr.io/asci-toolchain
    • gcr.io/cloud-airflow-releaser
    • gcr.io/cloud-builders
    • gcr.io/cloud-dataflow
    • gcr.io/cloud-marketplace
    • gcr.io/cloud-ssa
    • gcr.io/cloudsql-docker
    • gcr.io/config-management-release
    • gcr.io/foundry-dev
    • gcr.io/fn-img
    • gcr.io/gke-node-images
    • gcr.io/gke-release
    • gcr.io/google-containers
    • gcr.io/kubeflow
    • gcr.io/kubeflow-images-public
    • gcr.io/kubernetes-helm
    • gcr.io/istio-release
    • gcr.io/ml-pipeline
    • gcr.io/projectcalico-org
    • gcr.io/rbe-containers
    • gcr.io/rbe-windows-test-images
    • gcr.io/speckle-umbrella
    • gcr.io/stackdriver-agents
    • gcr.io/tensorflow
    • gke.gcr.io
    • k8s.gcr.io

    In all cases, the regional versions of these repositories are also available.

    Cached images on mirror.gcr.io are only available if Container Registry is also in the perimeter.

AutoML Natural Language

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address automl.googleapis.com,
eu-automl.googleapis.com
Details

To fully protect the AutoML API, include all of the following APIs in your perimeter:

  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

For more information about AutoML Natural Language, refer to the product documentation.

Limitations
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.

AutoML Tables

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address automl.googleapis.com,
eu-automl.googleapis.com
Details

To fully protect the AutoML API, include all of the following APIs in your perimeter:

  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

For more information about AutoML Tables, refer to the product documentation.

Limitations
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.

AutoML Translation

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address automl.googleapis.com,
eu-automl.googleapis.com
Details

To fully protect the AutoML API, include all of the following APIs in your perimeter:

  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

For more information about AutoML Translation, refer to the product documentation.

Limitations
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.

AutoML Video Intelligence

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address automl.googleapis.com,
eu-automl.googleapis.com
Details

To fully protect the AutoML API, include all of the following APIs in your perimeter:

  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

For more information about AutoML Video Intelligence, refer to the product documentation.

Limitations
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.

AutoML Vision

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address automl.googleapis.com,
eu-automl.googleapis.com
Details

To fully protect the AutoML API, include all of the following APIs in your perimeter:

  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

For more information about AutoML Vision, refer to the product documentation.

Limitations
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.

BigQuery

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address bigquery.googleapis.com
Details

When you protect the BigQuery API using a service perimeter, the BigQuery Storage API is also protected. You do not need to separately add the BigQuery Storage API to your perimeter's list of protected services.

For more information about BigQuery, refer to the product documentation.

Limitations
  • VPC Service Controls does not support copying BigQuery resources protected by a service perimeter to another organization. Access levels do not enable you to copy across organizations.

    To copy protected BigQuery resources to another organization, download the dataset (for example, as a CSV file), and then upload that file to the other organization.

  • The BigQuery Data Transfer Service is supported for the following services:

    Google Software as a Service (SaaS) apps

    External cloud storage providers Data warehouses In addition, several third-party transfers are available in the Google Cloud Marketplace.

    Note: The BigQuery Data Transfer Service doesn't support exporting data out of a BigQuery dataset. See Exporting table data for more information.

  • BigQuery audit log records do not always include all resources that were used when a request is made, due to the service internally processing access to multiple resources.

  • When using a service account to access a BigQuery instance protected by a service perimeter, the BigQuery job must be run within a project inside the perimeter. By default, the BigQuery client libraries will run jobs within the service account or user's project, causing the query to be rejected by VPC Service Controls.

Cloud Bigtable

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address bigtable.googleapis.com
Details

The API for Cloud Bigtable can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Bigtable, refer to the product documentation.

Limitations

The Cloud Bigtable integration with VPC Service Controls has no known limitations.

Binary Authorization

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address binaryauthorization.googleapis.com
Details

When using multiple projects with Binary Authorization, each project must be included in the VPC Service Controls perimeter. For more information about this use case, see Multi-project setup.

With Binary Authorization, you may use Container Analysis to store attestors and attestations as notes and occurrences, respectively. In this case, you must also include Container Analysis in the VPC Service Controls perimeter. See VPC Service Controls guidance for Container Analysis for additional details.

For more information about Binary Authorization, refer to the product documentation.

Limitations

The Binary Authorization integration with VPC Service Controls has no known limitations.

Certificate Authority Service

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address privateca.googleapis.com
Details

The API for Certificate Authority Service can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Certificate Authority Service, refer to the product documentation.

Limitations

The Certificate Authority Service integration with VPC Service Controls has no known limitations.

Data Catalog

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address datacatalog.googleapis.com
Details Data Catalog automatically respects perimeters around other Google Cloud services.

For more information about Data Catalog, refer to the product documentation.

Limitations

The Data Catalog integration with VPC Service Controls has no known limitations.

Cloud Data Fusion

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address datafusion.googleapis.com
Details

Cloud Data Fusion requires some special steps to protect using VPC Service Controls.

For more information about Cloud Data Fusion, refer to the product documentation.

Limitations
  • Establish the VPC Service Controls security perimeter before creating your Cloud Data Fusion private instance. Perimeter protection for instances created prior to setting up VPC Service Controls is not supported.

  • Currently, the Cloud Data Fusion data plane UI does not support specifying access levels using identity based access.

Compute Engine

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address compute.googleapis.com
Details

VPC Service Controls support for Compute Engine offers the following security benefits:

  • Restricts access to sensitive API operations
  • Restricts persistent disk snapshots and custom images to a perimeter
  • Restricts access to instance metadata

VPC Service Controls support for Compute Engine also enables you to utilize Virtual Private Cloud networks and Google Kubernetes Engine private clusters inside service perimeters.

For more information about Compute Engine, refer to the product documentation.

Limitations
  • Hierarchical firewalls are not affected by service perimeters.

  • VPC Peering operations do not enforce VPC service perimeter restrictions.

  • The projects.ListXpnHosts API method for Shared VPC does not enforce service perimeter restrictions on returned projects.

  • To enable creating a Compute Engine image from a Cloud Storage in a project protected by a service perimeter, the user that is creating the image should be added temporarily to an access level for the perimeter.

  • VPC Service Controls does not support using the open-source version of Kubernetes on Compute Engine VMs inside a service perimeter.

Dataflow

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address dataflow.googleapis.com
Details

Dataflow supports a number of storage service connectors. The following connectors have been verified to work with Dataflow inside a service perimeter:

For more information about Dataflow, refer to the product documentation.

Limitations

  • Custom BIND is not supported when using Dataflow. To customize DNS resolution when using Dataflow with VPC Service Controls, use Cloud DNS private zones instead of using custom BIND servers. To use your own on-premises DNS resolution, consider using a Google Cloud DNS forwarding method.

  • Not all storage service connectors have been verified to work when used with Dataflow inside a service perimeter. For a list of verified connectors, see the Dataflow details.

  • When using Python 3.5 with Apache Beam SDK 2.20.0‑2.22.0, Dataflow jobs will fail at startup if the workers have private IP addresses only, such as when using VPC Service Controls to protect resources. If Dataflow workers can only have private IP addresses, such as when using VPC Service Controls to protect resources, do not use Python 3.5 with Apache Beam SDK 2.20.0‑2.22.0. This combination causes jobs to fail at startup.

Dataproc

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address dataproc.googleapis.com
Details

Dataproc requires some special steps to protect using VPC Service Controls.

For more information about Dataproc, refer to the product documentation.

Limitations

  • To protect a Dataproc cluster with a service perimeter, you must follow the instructions for setting up private connectivity to allow the cluster to function inside the perimeter.

Cloud Data Loss Prevention

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address dlp.googleapis.com
Details

The API for Cloud Data Loss Prevention can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Data Loss Prevention, refer to the product documentation.

Limitations

The Cloud Data Loss Prevention integration with VPC Service Controls has no known limitations.

Cloud Functions

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudfunctions.googleapis.com
Details

See the Cloud Functions documentation for setup steps. VPC Service Controls protection does not apply to the build phase when Cloud Functions are built using Cloud Build. VPC Service Controls protection applies for all function triggers except Firebase Realtime Database triggers and Firebase Crashlytics triggers. For more details, see the known limitations.

For more information about Cloud Functions, refer to the product documentation.

Limitations
  • Cloud Functions uses Cloud Build to build your source code into a runnable container. In order to use Cloud Functions inside a service perimeter, you must configure an access level for the Cloud Build Service Account in your service perimeter.

  • To allow your functions to use external dependencies such as npm packages, Cloud Build has unlimited internet access. This internet access could be used to exfiltrate data that is available at build time, such as your uploaded source code. If you want to mitigate this exfiltration vector, we recommend that you only allow trusted developers to deploy functions. Do not grant Cloud Functions Owner, Editor, or Developer IAM roles to untrusted developers.

  • For Firebase Realtime Database triggers and Firebase Crashlytics triggers, a user could deploy a function that could be triggered by changes to a Firebase Realtime Database or Firebase Crashlytics in a different project outside the service perimeter of the project in which the function is deployed. If you want to mitigate the exfiltration vector for these two triggers, we recommend that you only allow trusted developers to deploy functions. Do not grant Cloud Functions Owner, Editor, or Developer IAM roles to untrusted developers.

Serverless VPC Access

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address vpcaccess.googleapis.com
Details

The API for Serverless VPC Access can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Serverless VPC Access, refer to the product documentation.

Limitations

The Serverless VPC Access integration with VPC Service Controls has no known limitations.

Cloud Key Management Service

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudkms.googleapis.com
Details

The API for Cloud Key Management Service can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Key Management Service, refer to the product documentation.

Limitations

The Cloud Key Management Service integration with VPC Service Controls has no known limitations.

Game Servers

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address gameservices.googleapis.com
Details

The API for Game Servers can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Game Servers, refer to the product documentation.

Limitations

The Game Servers integration with VPC Service Controls has no known limitations.

Managed Service for Microsoft Active Directory

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address managedidentities.googleapis.com
Details

Additional configuration required for:

For more information about Managed Service for Microsoft Active Directory, refer to the product documentation.

Limitations

The Managed Service for Microsoft Active Directory integration with VPC Service Controls has no known limitations.

Secret Manager

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address secretmanager.googleapis.com
Details

The API for Secret Manager can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Secret Manager, refer to the product documentation.

Limitations

The Secret Manager integration with VPC Service Controls has no known limitations.

Pub/Sub

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address pubsub.googleapis.com
Details

VPC Service Controls protection applies to all subscriber operations except existing push subscriptions.

For more information about Pub/Sub, refer to the product documentation.

Limitations

  • In projects protected by a service perimeter, new push subscriptions cannot be created.
  • Pub/Sub push subscriptions created prior to the service perimeter will not be blocked.

Pub/Sub Lite

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address pubsublite.googleapis.com
Details

VPC Service Controls protection applies to all subscriber operations.

For more information about Pub/Sub Lite, refer to the product documentation.

Limitations

The Pub/Sub Lite integration with VPC Service Controls has no known limitations.

Cloud Build

Status Preview. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudbuild.googleapis.com
Details

Using VPC Service Controls with Cloud Build is only available to restricted users.

For more information about Cloud Build, refer to the product documentation.

Limitations

Using VPC Service Controls with Cloud Build is only available to restricted users.

Cloud Composer

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address composer.googleapis.com
Details Configuring Composer for use with VPC Service Controls

For more information about Cloud Composer, refer to the product documentation.

Limitations
  • Enabling DAG serialization prevents Airflow from displaying a rendered template with functions in the web UI.

  • Setting the async_dagbag_loader flag to True is not supported while DAG serialization is enabled.

  • Enabling DAG serialization disables all Airflow web server plugins, as they could risk the security of the VPC network where Cloud Composer is deployed. This doesn't impact the behaviour of scheduler or worker plugins, including Airflow operators and sensors.

  • When Cloud Composer is running inside a perimeter, access to public PyPI repositories is restricted. In the Cloud Composer documentation, see Installing Python dependencies to learn how to install PyPi modules in Private IP mode.

Cloud Spanner

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address spanner.googleapis.com
Details

The API for Cloud Spanner can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Spanner, refer to the product documentation.

Limitations

The Cloud Spanner integration with VPC Service Controls has no known limitations.

Cloud Storage

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address storage.googleapis.com
Details

The API for Cloud Storage can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Storage, refer to the product documentation.

Limitations
  • When using the Requester Pays feature with a storage bucket inside a service perimeter that protects the Cloud Storage service, you cannot identify a project to pay that is outside the perimeter. The target project must be in the same perimeter as the storage bucket or in a perimeter bridge with the bucket's project.

    For more information about Requester Pays, see the Requester Pays use and access requirements.

  • For projects in a service perimeter, the Cloud Storage page in the Cloud Console is not accessible if the Cloud Storage API is protected by that perimeter. If you want to grant access to the page, you must create an access level that includes either the user accounts or a public IP range that you want to allow to access the Cloud Storage API.

  • In audit log records, the resourceName field does not identify the project that owns a bucket. The project must be discovered separately.

  • In audit log records, the value for methodName is not always correct. We recommend that you do not filter Cloud Storage audit log records by methodName.

  • In certain cases, Cloud Storage legacy bucket logs can be written to destinations outside of a service perimeter even when access is denied.

  • When you attempt to use gsutil for the first time in a new project, you may be prompted to enable the storage-api.googleapis.com service. While you cannot directly protect storage-api.googleapis.com, when you protect the Cloud Storage API using a service perimeter, gsutil operations are also protected.

Cloud SQL

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address sqladmin.googleapis.com
Details

VPC Service Controls perimeters protect the Cloud SQL Admin API.

For more information about Cloud SQL, refer to the product documentation.

Limitations

  • Service perimeters protect only the Cloud SQL Admin API. They do not protect IP-based data access to Cloud SQL instances. You need to use an organization policy constraint to restrict public IP access on Cloud SQL instances.

  • Cloud SQL imports and exports can only perform reads and writes from a Cloud Storage bucket within the same service perimeter as the Cloud SQL replica instance. In the external server migration flow, you need to add the Cloud Storage bucket to the same service perimeter. When creating a key flow for CMEK, you need to create the key in the same service perimeter as the resources that use it. Note: When restoring an instance from a backup, the target instance need to reside in the same service perimeter as the backup.

Video Intelligence API

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address videointelligence.googleapis.com
Details

The API for Video Intelligence API can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Video Intelligence API, refer to the product documentation.

Limitations

The Video Intelligence API integration with VPC Service Controls has no known limitations.

Cloud Vision API

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address vision.googleapis.com
Details

The API for Cloud Vision API can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Vision API, refer to the product documentation.

Limitations

The Cloud Vision API integration with VPC Service Controls has no known limitations.

Container Analysis

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address containeranalysis.googleapis.com
Details

To use Container Analysis with VPC Service Controls, you may have to add other services to your VPC perimeter:

Because the Container Scanning API is a surfaceless API that stores the results in Container Analysis, you do not need to protect the API with a service perimeter.

For more information about Container Analysis, refer to the product documentation.

Limitations

The Container Analysis integration with VPC Service Controls has no known limitations.

Container Registry

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address containerregistry.googleapis.com
Details

In addition to protecting the Container Registry API, Container Registry can be used inside a service perimeter with GKE and Compute Engine.

For more information about Container Registry, refer to the product documentation.

Limitations

  • Because it is not using the googleapis.com domain, Container Registry must be configured via Private DNS or BIND to map to the restricted VIP separately from other APIs. For more information, see Securing Container Registry in a service perimeter.

  • In addition to the containers inside a perimeter that are available to Container Registry, the following read-only Google-managed repositories are available to all projects regardless of service perimeters:

    • gcr.io/asci-toolchain
    • gcr.io/cloud-airflow-releaser
    • gcr.io/cloud-builders
    • gcr.io/cloud-dataflow
    • gcr.io/cloud-marketplace
    • gcr.io/cloud-ssa
    • gcr.io/cloudsql-docker
    • gcr.io/config-management-release
    • gcr.io/foundry-dev
    • gcr.io/fn-img
    • gcr.io/gke-node-images
    • gcr.io/gke-release
    • gcr.io/google-containers
    • gcr.io/kubeflow
    • gcr.io/kubeflow-images-public
    • gcr.io/kubernetes-helm
    • gcr.io/istio-release
    • gcr.io/ml-pipeline
    • gcr.io/projectcalico-org
    • gcr.io/rbe-containers
    • gcr.io/rbe-windows-test-images
    • gcr.io/speckle-umbrella
    • gcr.io/stackdriver-agents
    • gcr.io/tensorflow
    • gke.gcr.io
    • k8s.gcr.io
    • mirror.gcr.io

    In all cases, the multi-regional versions of these repositories are also available.

Google Kubernetes Engine

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address container.googleapis.com,
gkeconnect.googleapis.com,
gkehub.googleapis.com
Details

The API for Google Kubernetes Engine can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Google Kubernetes Engine, refer to the product documentation.

Limitations

  • Only private clusters can be protected using VPC Service Controls. Clusters with public IP addresses are not supported by VPC Service Controls.

Resource Manager

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudresourcemanager.googleapis.com
Details

The API for Resource Manager can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Resource Manager, refer to the product documentation.

Limitations

Cloud Logging

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address logging.googleapis.com
Details

Because VPC Service Controls doesn't support Folder and Organization resources, Folder-level and Organization-level logs are not protected by VPC Service Controls. For more information, refer to the known service limitations.

For more information about Cloud Logging, refer to the product documentation.

Limitations
  • Aggregated export sinks (folder or organization sinks where includeChildren is true) can access data from projects inside a service perimeter. We recommend that IAM is used to manage Logging permissions at the folder and organization level.

  • Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters. We recommend that IAM is used to restrict exports to the service accounts required to interact with the perimeter-protected services.

  • To set up an organization or folder log export to a resource protected by a service perimeter, you must add the service account for that log sink to an access level and then assign it to the destination service perimeter. This is not necessary for project-level log exports.

    For more information, refer to the following pages:

Cloud Monitoring

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address monitoring.googleapis.com
Details

The API for Cloud Monitoring can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Monitoring, refer to the product documentation.

Limitations
  • Notification channels, alerting policies, and custom metrics can be used together to exfiltrate data/metadata. As of today, a user of Monitoring can set up a notification channel that points to an entity outside of the organization e.g. "baduser@badcompany.com". The user then sets up custom metrics and corresponding alert policies that utilize the notification channel. As a result, by manipulating the custom metrics, the user can trigger alerts and send alert firing notifications, exfiltrating sensitive data to baduser@badcompany.com, outside of the VPC Service Controls perimeter.

  • While Monitoring in Google Cloud Console supports VPC Service Controls, VPC Service Controls for the classic Cloud Monitoring console are not fully supported.

  • Any Compute Engine or AWS VMs with the Monitoring Agent installed must be inside the VPC Service Controls perimeter or agent metric writes will fail.

  • Any GKE Pods must be inside the VPC Service Controls perimeter or GKE Monitoring will not work.

  • When querying metrics for a workspace only the VPC Service Controls perimeter of the workspace's host _project_ is considered, not the perimeters of the individual monitored _projects_ in the workspace.

  • A project can only be added as a monitored _project_ to an existing workspace if that project is in the same VPC Service Controls perimeter as the workspace's host _project_.

  • To access Monitoring in the Cloud Console for a host project that is protected by a service perimeter, use access levels.

Cloud Profiler

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudprofiler.googleapis.com
Details

The API for Cloud Profiler can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Profiler, refer to the product documentation.

Limitations

The Cloud Profiler integration with VPC Service Controls has no known limitations.

Cloud Trace

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudtrace.googleapis.com
Details

The API for Cloud Trace can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Trace, refer to the product documentation.

Limitations

The Cloud Trace integration with VPC Service Controls has no known limitations.

Cloud TPU

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address tpu.googleapis.com
Details

The API for Cloud TPU can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud TPU, refer to the product documentation.

Limitations

The Cloud TPU integration with VPC Service Controls has no known limitations.

Natural Language API

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address language.googleapis.com
Details

The API for Natural Language API can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Natural Language API, refer to the product documentation.

Limitations

The Natural Language API integration with VPC Service Controls has no known limitations.

Cloud Asset API

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address cloudasset.googleapis.com
Details

Because VPC Service Controls doesn't support Folder and Organization resources, access to assets via Cloud Asset API at the Folder or Organization level is not protected by VPC Service Controls. For more information, refer to the known service limitations.

For more information about Cloud Asset API, refer to the product documentation.

Limitations

  • When calling Cloud Asset API at the Folder or Organization level, data from projects inside a service perimeter that belongs to the folder or organization can still be accessed. We recommend that IAM is used to manage Cloud Asset Inventory permissions at the folder and organization level.

Speech-to-Text

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address speech.googleapis.com
Details

The API for Speech-to-Text can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Speech-to-Text, refer to the product documentation.

Limitations

The Speech-to-Text integration with VPC Service Controls has no known limitations.

Text-to-Speech

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address texttospeech.googleapis.com
Details

The API for Text-to-Speech can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Text-to-Speech, refer to the product documentation.

Limitations

The Text-to-Speech integration with VPC Service Controls has no known limitations.

Translation

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address translate.googleapis.com
Details

The API for Translation can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Translation, refer to the product documentation.

Limitations

The Translation integration with VPC Service Controls has no known limitations.

Access Approval

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address accessapproval.googleapis.com
Details

The API for Access Approval can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Access Approval, refer to the product documentation.

Limitations

The Access Approval integration with VPC Service Controls has no known limitations.

Cloud Healthcare API

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address healthcare.googleapis.com
Details

The API for Cloud Healthcare API can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Cloud Healthcare API, refer to the product documentation.

Limitations

The Cloud Healthcare API integration with VPC Service Controls has no known limitations.

Storage Transfer Service

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address storagetransfer.googleapis.com
Details

We recommend placing your STS project within the same service perimeter as your Cloud Storage resources. This protects both your transfer and your Cloud Storage resources. Storage Transfer Service also supports scenarios where the Storage Transfer Service project is not in the same perimeter as your Cloud Storage buckets, using either a perimeter bridge or access levels.

For setup information, see Using Storage Transfer Service with VPC Service Controls

Transfer service for on-premises data

During Beta, Transfer service for on-premises data (Transfer for on-premises) supports VPC Service Controls for transfer payloads only. This includes scenarios where Transfer for on-premises agents are added to an access level that allows them to access resources in the perimeter, or when Transfer for on-premises agents are within a perimeter shared with target Cloud Storage buckets and Transfer service for on-premises data jobs.

For more information, see Using Transfer for on-premises with VPC Service Controls.

File metadata, such as object names, are not guaranteed to stay within the perimeter. For more information, see VPC Service Controls and metadata.

For more information about Storage Transfer Service, refer to the product documentation.

Limitations

  • Transfer service for on-premises data doesn't offer an API, and therefore does not support API-related features in VPC Service Controls.

Service Control

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address servicecontrol.googleapis.com
Details

The API for Service Control can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Service Control, refer to the product documentation.

Limitations

  • When you call the Service Control API from a VPC network in a service perimeter with Service Control restricted, you can't use the Service Control report method to report billing and analytics metrics.

Memorystore for Redis

Status GA. This product integration is fully supported by VPC Service Controls.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address redis.googleapis.com
Details

The API for Memorystore for Redis can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Memorystore for Redis, refer to the product documentation.

Limitations

  • Service perimeters protect only the Memorystore for Redis API. Perimeters do not protect normal data access on Memorystore for Redis instances within the same network.

  • If the Cloud Storage API is also protected, then Memorystore for Redis import and export operations can only read and write to a Cloud Storage bucket within the same service perimeter as the Memorystore for Redis instance.

Service Directory

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address servicedirectory.googleapis.com
Details

The API for Service Directory can be protected by VPC Service Controls and the product can be used normally inside service perimeters.

For more information about Service Directory, refer to the product documentation.

Limitations

The Service Directory integration with VPC Service Controls has no known limitations.

Transfer Appliance

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? No. The API for Transfer Appliance cannot be protected by service perimeters. However, Transfer Appliance can be used normally in projects inside a perimeter.
Details

Transfer Appliance is fully supported for projects using VPC Service Controls.

Transfer Appliance doesn't offer an API, and therefore does not support API-related features in VPC Service Controls.

For more information about Transfer Appliance, refer to the product documentation.

Limitations

  • When Cloud Storage is protected by VPC Service Controls, the Cloud KMS key you share with the Transfer Appliance Team must be within the same project as the destination Cloud Storage bucket.

OS Login

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address oslogin.googleapis.com
Details

You can call the OS Login API from within VPC Service Controls perimeters. To manage OS Login from within VPC Service Controls perimeters, set up OS Login.

SSH connections to VM instances are not protected by VPC Service Controls.

For more information about OS Login, refer to the product documentation.

Limitations

The OS Login integration with VPC Service Controls has no known limitations.

VM Manager

Status Beta. This product integration is ready for broader testing and use, but is not fully supported for production environments.
Protect with perimeters? Yes. You can configure your perimeters to protect this service.
Service address osconfig.googleapis.com
Details

You can call the OS Config API from within VPC Service Controls perimeters. To use VM Manager from within VPC Service Controls perimeters, set up VM Manager.

For more information about VM Manager, refer to the product documentation.

Limitations

The VM Manager integration with VPC Service Controls has no known limitations.

For more information, read about supported and unsupported services.

Restricted VIP supported services

The restricted virtual IP (VIP) provides a way for VMs that are inside a service perimeter to make calls to Google Cloud services without exposing the requests to the internet. For a complete list of the services available on the restricted VIP, see Services supported by the restricted VIP.

Unsupported services

Attempting to restrict an unsupported service using the gcloud command-line tool or the Access Context Manager API will result in an error.

Cross-project access to data of supported services will be blocked by VPC Service Controls. Additionally, the restricted VIP can be used to block the ability of workloads to call unsupported services.

Other known limitations

This section describes known limitations with certain Google Cloud services, products, and interfaces that can be encountered when using VPC Service Controls.

For limitations with products that are supported by VPC Service Controls, refer to the Supported Products table.

For more information on resolving issues with VPC Service Controls, refer to the Troubleshooting page.

AutoML API

  • AutoML Vision, AutoML Natural Language, AutoML Translation, AutoML Tables and AutoML Video Intelligence all use the AutoML API.

    When you use a service perimeter to protect automl.googleapis.com, access to all of the AutoML products that are integrated with VPC Service Controls and used inside the perimeter are impacted. You must configure your VPC Service Controls perimeter for all integrated AutoML products that are used inside that perimeter.

    To fully protect the AutoML API, include all of the following APIs in your perimeter:

    • AutoML API (automl.googleapis.com)
    • Cloud Storage API (storage.googleapis.com)
    • Compute Engine API (compute.googleapis.com)
    • BigQuery API (bigquery.googleapis.com)

App Engine

  • App Engine (both standard environment and flexible environment) is not supported by VPC Service Controls. Do not include App Engine projects in service perimeters.

    However, it is possible to allow App Engine apps created in projects outside service perimeters to read and write data to protected services inside perimeters. To allow your app to access the data of protected services, create an access level that includes the project's App Engine service account. This does not enable App Engine to be used inside service perimeters.

Client libraries

  • The Java and Python client libraries for all supported services are fully supported for access using the restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only.

  • Clients must use client libraries that have been updated as of November 1, 2018 or later.

  • Service account keys or OAuth2 client metadata used by clients must be updated as of November 1, 2018 or later. Older clients using the token endpoint must change to the endpoint specified in newer key material/client metadata.

Cloud Billing

Cloud Build

  • Using Cloud Build within a VPC Service Controls perimeter is only available to restricted users.

    Additionally, it is possible to allow Cloud Build in projects outside service perimeters to read and write data to protected services inside perimeters. To allow Cloud Build to access the data of protected services, create an access level that includes the project's Cloud Build service account. This does not enable Cloud Build to be used inside service perimeters.

Cloud Deployment Manager

  • Deployment Manager is not supported by VPC Service Controls. Users may be able to call into services that are compliant with VPC Service Controls, but they should not rely on this as it may break in the future.

  • As a workaround, you can add the Deployment Manager service account (PROJECT_NUMBER@cloudservices.gserviceaccount.com) to the access levels to allow calls to APIs protected by VPC Service Controls.

Cloud Shell

  • Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.

Google Cloud Console

  • Because the Cloud Console is only accessible over the internet, it is treated as outside of service perimeters. When you apply a service perimeter, the Cloud Console interface for the services that you protected may become partially or fully inaccessible. For example, if you protected Logging with the perimeter, you will not be able to access the Logging interface in the Cloud Console.

    To allow access from the Cloud Console to resources protected by a perimeter, you need to create an access level for a public IP range that includes the machines of users who want to use the Cloud Console with protected APIs. For example, you could add the public IP range of the NAT gateway of your private network to an access level, and then assign that access level to the service perimeter.

    If you want to limit Cloud Console access to the perimeter to only a specific set of users, you can also add those users to an access level. In that case, only the specified users would be able to access the Cloud Console.