|
Status
|
Preview
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
networkmanagement.googleapis.com
|
Details
|
The API for Connectivity Tests can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Connectivity Tests, refer to the
product documentation.
|
Limitations
|
The Connectivity Tests integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
ml.googleapis.com
|
Details
|
VPC Service Controls supports online prediction, but not batch prediction.
For more information about AI Platform Prediction, refer to the
product documentation.
|
Limitations
|
To fully protect AI Platform Prediction, add all of the following APIs to the
service perimeter:
- AI Platform Training and Prediction API (
ml.googleapis.com )
- Pub/Sub API (
pubsub.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Google Kubernetes Engine API (
container.googleapis.com )
- Container Registry API (
containerregistry.googleapis.com )
- Cloud Logging API (
logging.googleapis.com )
Read more about setting up VPC Service Controls for
AI Platform Prediction.
Batch prediction is not
supported when you use AI Platform Prediction inside a service perimeter.
AI Platform Prediction and AI Platform Training both use the
AI Platform Training and Prediction API, so you must configure VPC Service Controls for
both products. Read more about setting up VPC Service Controls for
AI Platform Training.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
ml.googleapis.com
|
Details
|
The API for AI Platform Training can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about AI Platform Training, refer to the
product documentation.
|
Limitations
|
To fully protect your AI Platform Training training jobs, add all of the
following APIs to the service perimeter:
- AI Platform Training and Prediction API (
ml.googleapis.com )
- Pub/Sub API (
pubsub.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Google Kubernetes Engine API (
container.googleapis.com )
- Container Registry API (
containerregistry.googleapis.com )
- Cloud Logging API (
logging.googleapis.com )
Read more about setting up VPC Service Controls for
AI Platform Training.
Training with TPUs is not supported
when you use AI Platform Training inside a service perimeter.
AI Platform Training and AI Platform Prediction both use the
AI Platform Training and Prediction API, so you must configure VPC Service Controls for
both products. Read more about setting up VPC Service Controls for
AI Platform Prediction.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
notebooks.googleapis.com
|
Details
|
The API for AI Platform Notebooks can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about AI Platform Notebooks, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
aiplatform.googleapis.com
beta
|
Details
|
The API for AI Platform (Unified) can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about AI Platform (Unified), refer to the
product documentation.
|
Limitations
|
For more information about limitations, see limitations
in the AI Platform (Unified) documentation.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
apigee.googleapis.com, apigeeconnect.googleapis.com
|
Details
|
The API for Apigee and Apigee hybrid can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Apigee and Apigee hybrid, refer to the
product documentation.
|
Limitations
|
Apigee integrations with VPC Service Controls have the following limitations:
- Integrated portals require additional steps to configure.
- You must deploy Drupal portals within the service perimeter.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
meshca.googleapis.com
|
Details
|
The API for Anthos Service Mesh can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Anthos Service Mesh, refer to the
product documentation.
|
Limitations
|
- Service perimeters can only protect the Cloud Service Mesh
Certificate Authority API. You can add a service perimeter to protect
your
Identity Namespace.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
artifactregistry.googleapis.com
|
Details
|
In addition to protecting the Artifact Registry API,
Artifact Registry can be used inside service perimeters
with GKE and Compute Engine.
For more information about Artifact Registry, refer to the
product documentation.
|
Limitations
|
- Because it is not using the
googleapis.com domain, Artifact Registry
must be configured via Private DNS or BIND to map to the restricted VIP
separately from other APIs. For more information, see
Securing repositories in a service perimeter.
In addition to the artifacts inside a perimeter that are available to
Artifact Registry, the following read-only Google-managed Container Registry
repositories are available to all projects regardless of service perimeters:
- gcr.io/asci-toolchain
- gcr.io/cloud-airflow-releaser
- gcr.io/cloud-builders
- gcr.io/cloud-dataflow
- gcr.io/cloud-marketplace
- gcr.io/cloud-ssa
- gcr.io/cloudsql-docker
- gcr.io/config-management-release
- gcr.io/foundry-dev
- gcr.io/fn-img
- gcr.io/gke-node-images
- gcr.io/gke-release
- gcr.io/google-containers
- gcr.io/kubeflow
- gcr.io/kubeflow-images-public
- gcr.io/kubernetes-helm
- gcr.io/istio-release
- gcr.io/ml-pipeline
- gcr.io/projectcalico-org
- gcr.io/rbe-containers
- gcr.io/rbe-windows-test-images
- gcr.io/speckle-umbrella
- gcr.io/stackdriver-agents
- gcr.io/tensorflow
- gke.gcr.io
- k8s.gcr.io
In all cases, the regional versions of these repositories are also
available.
Cached images on mirror.gcr.io are only available if Container Registry
is also in the perimeter.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
automl.googleapis.com, eu-automl.googleapis.com
|
Details
|
To fully protect the AutoML API, include all of the following APIs in your perimeter:
- AutoML API (
automl.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- BigQuery API (
bigquery.googleapis.com )
For more information about AutoML Natural Language, refer to the
product documentation.
|
Limitations
|
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
automl.googleapis.com, eu-automl.googleapis.com
|
Details
|
To fully protect the AutoML API, include all of the following APIs in your perimeter:
- AutoML API (
automl.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- BigQuery API (
bigquery.googleapis.com )
For more information about AutoML Tables, refer to the
product documentation.
|
Limitations
|
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
automl.googleapis.com, eu-automl.googleapis.com
|
Details
|
To fully protect the AutoML API, include all of the following APIs in your perimeter:
- AutoML API (
automl.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- BigQuery API (
bigquery.googleapis.com )
For more information about AutoML Translation, refer to the
product documentation.
|
Limitations
|
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
automl.googleapis.com, eu-automl.googleapis.com
|
Details
|
To fully protect the AutoML API, include all of the following APIs in your perimeter:
- AutoML API (
automl.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- BigQuery API (
bigquery.googleapis.com )
For more information about AutoML Video Intelligence, refer to the
product documentation.
|
Limitations
|
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
automl.googleapis.com, eu-automl.googleapis.com
|
Details
|
To fully protect the AutoML API, include all of the following APIs in your perimeter:
- AutoML API (
automl.googleapis.com )
- Cloud Storage API (
storage.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- BigQuery API (
bigquery.googleapis.com )
For more information about AutoML Vision, refer to the
product documentation.
|
Limitations
|
All AutoML products that are integrated with VPC Service Controls use the same service address. For more information, see the limitations for using AutoML products with VPC Service Controls.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
bigquery.googleapis.com
|
Details
|
When you protect the BigQuery API
using a service perimeter, the BigQuery Storage API is also protected. You
do not need to separately add the BigQuery Storage API to your perimeter's
list of protected services.
For more information about BigQuery, refer to the
product documentation.
|
Limitations
|
VPC Service Controls does not support copying BigQuery
resources protected by a service perimeter to another organization.
Access levels do not enable you to copy across organizations.
To copy protected BigQuery resources to another organization,
download the dataset (for example, as a CSV file), and then upload that file
to the other organization.
BigQuery audit log records do not always include all
resources that were used when a request is made, due to the service
internally processing access to multiple resources.
When using a service
account
to access a BigQuery instance protected by a service
perimeter, the BigQuery job must be run within a project
inside the perimeter. By default, the BigQuery client
libraries will run jobs within the service account or user's project,
causing the query to be rejected by VPC Service Controls.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
bigquerydatatransfer.googleapis.com
|
Details
|
Service perimeter only protects BigQuery Data Transfer Service API. The actual data protection is
enforced by BigQuery. It is by design to allow importing data from various
external sources outside of Google Cloud, such as Amazon S3, Redshift, Teradata, YouTube,
Google Play and Google Ads, into BigQuery datasets.
For more information about BigQuery Data Transfer Service, refer to the
product documentation.
|
Limitations
|
- The BigQuery Data Transfer Service doesn't support exporting data out of a
BigQuery dataset. See Exporting
table data for more information.
- The BigQuery Data Transfer Service doesn't support third party data sources to transfer
data into projects protected by a service perimeter.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
bigtable.googleapis.com
|
Details
|
The API for Cloud Bigtable can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Bigtable, refer to the
product documentation.
|
Limitations
|
The Cloud Bigtable integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
binaryauthorization.googleapis.com
beta
|
Details
|
When using multiple projects with Binary Authorization, each project must be
included in the VPC Service Controls perimeter. For more information about this use case, see
Multi-project setup.
With Binary Authorization, you may use Container Analysis to store
attestors and attestations as notes and occurrences, respectively. In this case, you must
also include Container Analysis in the VPC Service Controls perimeter.
See VPC Service Controls guidance for Container Analysis
for additional details.
For more information about Binary Authorization, refer to the
product documentation.
|
Limitations
|
The Binary Authorization integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
privateca.googleapis.com
beta
|
Details
|
The API for Certificate Authority Service can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Certificate Authority Service, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
datacatalog.googleapis.com
|
Details
|
Data Catalog automatically respects perimeters
around other Google Cloud services.
For more information about Data Catalog, refer to the
product documentation.
|
Limitations
|
The Data Catalog integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
datafusion.googleapis.com
|
Details
|
Cloud Data Fusion requires some
special steps to protect
using VPC Service Controls.
For more information about Cloud Data Fusion, refer to the
product documentation.
|
Limitations
|
Establish the VPC Service Controls security perimeter before creating your
Cloud Data Fusion private instance. Perimeter protection for
instances created prior to setting up VPC Service Controls is not
supported.
Currently, the Cloud Data Fusion data plane UI does not support
specifying access levels using identity based access.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
compute.googleapis.com
|
Details
|
VPC Service Controls support for Compute Engine offers the following security
benefits:
- Restricts access to sensitive API operations
- Restricts persistent disk snapshots and custom images to a perimeter
- Restricts access to instance metadata
VPC Service Controls support for Compute Engine also enables you to utilize
Virtual Private Cloud networks and Google Kubernetes Engine private clusters
inside service perimeters.
For more information about Compute Engine, refer to the
product documentation.
|
Limitations
|
Hierarchical firewalls
are not affected by service perimeters.
VPC Peering operations do not enforce VPC service perimeter restrictions.
The projects.ListXpnHosts
API method for Shared VPC does not enforce service perimeter restrictions on
returned projects.
To enable creating a Compute Engine image from a
Cloud Storage in a project protected by a
service perimeter, the
user that is creating the image should be added
temporarily to an access level for the perimeter.
VPC Service Controls does not support using the open-source version of Kubernetes on Compute Engine VMs inside a service perimeter.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
dataflow.googleapis.com
|
Details
|
Dataflow supports a number of
storage service connectors. The following connectors have been
verified to work with Dataflow inside a service perimeter:
For more information about Dataflow, refer to the
product documentation.
|
Limitations
|
Custom BIND is not supported when using Dataflow. To customize DNS resolution when
using Dataflow with VPC Service Controls, use Cloud DNS private zones
instead of using custom BIND servers. To use your own on-premises DNS resolution, consider using a
Google Cloud DNS forwarding method.
Not all storage service connectors have been verified to work when used
with Dataflow inside a service perimeter. For a list of
verified connectors, see the
Dataflow details.
When using Python 3.5 with Apache Beam SDK 2.20.0‑2.22.0,
Dataflow jobs will fail at startup if the workers have
private IP addresses only, such as when using VPC Service Controls to protect resources.
If Dataflow workers can only have private IP addresses, such as when using VPC Service Controls to protect resources,
do not use Python 3.5 with Apache Beam SDK 2.20.0‑2.22.0. This combination causes jobs to fail at startup.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
dataproc.googleapis.com
|
Details
|
Dataproc requires some
special steps to protect
using VPC Service Controls.
For more information about Dataproc, refer to the
product documentation.
|
Limitations
|
- To protect a Dataproc cluster with a service perimeter,
you must follow the instructions for
setting up private connectivity to allow
the cluster to function inside the perimeter.
|
|
|
Status
|
preview
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
metastore.googleapis.com
|
Details
|
The API for Dataproc Metastore can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Dataproc Metastore, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
dlp.googleapis.com
|
Details
|
The API for Cloud Data Loss Prevention can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Data Loss Prevention, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudfunctions.googleapis.com
|
Details
|
See the Cloud Functions documentation
for setup steps. VPC Service Controls protection does not apply to the build phase when
Cloud Functions are built using Cloud Build. VPC Service Controls protection applies for
all function triggers except Firebase Realtime Database triggers and
Firebase Crashlytics triggers. For more details, see the known limitations.
For more information about Cloud Functions, refer to the
product documentation.
|
Limitations
|
Cloud Functions uses Cloud Build to build your source
code into a runnable container. In order to use Cloud Functions inside a
service perimeter, you must configure an access level for the
Cloud Build Service Account in your service
perimeter.
To allow your functions to use external dependencies such as npm packages,
Cloud Build has unlimited internet access. This internet access
could be used to exfiltrate data that is available at build time, such as
your uploaded source code. If you want to mitigate this exfiltration
vector, we recommend that you only allow trusted developers to deploy
functions. Do not grant
Cloud Functions Owner, Editor, or Developer IAM roles
to untrusted developers.
For Firebase Realtime Database triggers and Firebase Crashlytics
triggers, a user could deploy a function that could be triggered by
changes to a Firebase Realtime Database or Firebase Crashlytics in a
different project outside the service perimeter of the project in which
the function is deployed. If you want to mitigate the exfiltration
vector for these two triggers, we recommend that you only allow trusted
developers to deploy functions. Do not grant
Cloud Functions Owner, Editor, or Developer IAM roles
to untrusted developers.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
vpcaccess.googleapis.com
|
Details
|
The API for Serverless VPC Access can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Serverless VPC Access, refer to the
product documentation.
|
Limitations
|
The Serverless VPC Access integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudkms.googleapis.com
|
Details
|
The API for Cloud Key Management Service can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Key Management Service, refer to the
product documentation.
|
Limitations
|
The Cloud Key Management Service integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
gameservices.googleapis.com
|
Details
|
The API for Game Servers can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Game Servers, refer to the
product documentation.
|
Limitations
|
The Game Servers integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
iaptunnel.googleapis.com
|
Details
|
The API for Identity-Aware Proxy for TCP can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Identity-Aware Proxy for TCP, refer to the
product documentation.
|
Limitations
|
Only the usage API of IAP for TCP can be protected by a perimeter.
The administrative API cannot be protected by a perimeter.
To use IAP for TCP within a VPC Service Controls service perimeter, you must
add or configure some DNS
entries
to point the following domains to the restricted VIP:
- tunnel.cloudproxy.app
- *.tunnel.cloudproxy.app
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
managedidentities.googleapis.com
|
Details
|
Additional configuration required for:
For more information about Managed Service for Microsoft Active Directory, refer to the
product documentation.
|
Limitations
|
The Managed Service for Microsoft Active Directory integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
secretmanager.googleapis.com
|
Details
|
The API for Secret Manager can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Secret Manager, refer to the
product documentation.
|
Limitations
|
The Secret Manager integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
pubsub.googleapis.com
|
Details
|
VPC Service Controls protection applies to all subscriber operations except existing
push subscriptions.
For more information about Pub/Sub, refer to the
product documentation.
|
Limitations
|
- In projects protected by a service perimeter, new push subscriptions
cannot be created.
- Pub/Sub push subscriptions created prior to the service
perimeter will not be blocked.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
pubsublite.googleapis.com
|
Details
|
VPC Service Controls protection applies to all subscriber operations.
For more information about Pub/Sub Lite, refer to the
product documentation.
|
Limitations
|
The Pub/Sub Lite integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Preview. This product integration is ready for broader testing and use, but is not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudbuild.googleapis.com
|
Details
|
Using VPC Service Controls with Cloud Build is only available to restricted users.
For more information about Cloud Build, refer to the
product documentation.
|
Limitations
|
Using VPC Service Controls with Cloud Build is only available to restricted users.
|
|
|
Status
|
GA
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
composer.googleapis.com
beta
|
Details
|
Configuring Composer for use with VPC Service Controls
For more information about Cloud Composer, refer to the
product documentation.
|
Limitations
|
Enabling DAG serialization prevents Airflow from displaying a rendered
template with functions in the web UI.
Setting the async_dagbag_loader flag to True is not supported while DAG
serialization is enabled.
Enabling DAG serialization disables all Airflow web server plugins, as they
could risk the security of the VPC network where Cloud Composer is
deployed. This doesn't impact the behaviour of scheduler or worker plugins,
including Airflow operators and sensors.
When Cloud Composer is running inside a perimeter, access to public
PyPI repositories is restricted. In the Cloud Composer
documentation, see
Installing Python dependencies
to learn how to install PyPi modules in Private IP mode.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
spanner.googleapis.com
|
Details
|
The API for Cloud Spanner can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Spanner, refer to the
product documentation.
|
Limitations
|
The Cloud Spanner integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
storage.googleapis.com
|
Details
|
The API for Cloud Storage can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Storage, refer to the
product documentation.
|
Limitations
|
When using the Requester Pays feature with
a storage bucket inside a service perimeter that protects the
Cloud Storage service, you cannot identify a project to pay that is
outside the perimeter. The target project must be in the same perimeter
as the storage bucket or in a perimeter bridge with the bucket's project.
For more information about Requester Pays, see the Requester Pays use and
access requirements.
For projects in a service perimeter, the Cloud Storage page in the
Cloud Console is not accessible if the Cloud Storage API
is protected by that perimeter. If you want to grant access to the
page, you must create an access level that includes either the user
accounts or a public IP range that you want to allow to access the
Cloud Storage API.
In audit log records, the resourceName field does not identify the project
that owns a bucket. The
project must be discovered separately.
In audit log records, the value for methodName is not always correct. We
recommend that you do not filter Cloud Storage audit log records
by methodName .
In certain cases, Cloud Storage legacy bucket logs can be written
to destinations outside of a service perimeter even when access is denied.
When you attempt to use gsutil for the first time in a new project, you
may be prompted to enable the storage-api.googleapis.com service. While
you cannot directly protect storage-api.googleapis.com , when you protect
the Cloud Storage API using a service perimeter, gsutil operations are
also protected.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
sqladmin.googleapis.com
|
Details
|
VPC Service Controls perimeters protect the Cloud SQL Admin API.
For more information about Cloud SQL, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
videointelligence.googleapis.com
|
Details
|
The API for Video Intelligence API can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Video Intelligence API, refer to the
product documentation.
|
Limitations
|
The Video Intelligence API integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
vision.googleapis.com
|
Details
|
The API for Cloud Vision API can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Vision API, refer to the
product documentation.
|
Limitations
|
The Cloud Vision API integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
containeranalysis.googleapis.com
|
Details
|
To use Container Analysis with VPC Service Controls, you may have
to add other services to your VPC perimeter:
Because the Container Scanning API is a surfaceless API that stores the results
in Container Analysis, you do not need to protect the API with a service
perimeter.
For more information about Container Analysis, refer to the
product documentation.
|
Limitations
|
The Container Analysis integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
containerregistry.googleapis.com
|
Details
|
In addition to protecting the Container Registry API,
Container Registry can be used inside a service perimeter with
GKE and Compute Engine.
For more information about Container Registry, refer to the
product documentation.
|
Limitations
|
Because it is not using the googleapis.com domain, Container Registry
must be configured via Private DNS or BIND to map to the restricted VIP
separately from other APIs. For more information, see
Securing Container Registry in a service perimeter.
In addition to the containers inside a perimeter that are available to
Container Registry, the following read-only Google-managed repositories
are available to all projects regardless of service perimeters:
- gcr.io/asci-toolchain
- gcr.io/cloud-airflow-releaser
- gcr.io/cloud-builders
- gcr.io/cloud-dataflow
- gcr.io/cloud-marketplace
- gcr.io/cloud-ssa
- gcr.io/cloudsql-docker
- gcr.io/config-management-release
- gcr.io/foundry-dev
- gcr.io/fn-img
- gcr.io/gke-node-images
- gcr.io/gke-release
- gcr.io/google-containers
- gcr.io/kubeflow
- gcr.io/kubeflow-images-public
- gcr.io/kubernetes-helm
- gcr.io/istio-release
- gcr.io/ml-pipeline
- gcr.io/projectcalico-org
- gcr.io/rbe-containers
- gcr.io/rbe-windows-test-images
- gcr.io/speckle-umbrella
- gcr.io/stackdriver-agents
- gcr.io/tensorflow
- gke.gcr.io
- k8s.gcr.io
- mirror.gcr.io
In all cases, the multi-regional versions of these repositories are also
available.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
container.googleapis.com, gkeconnect.googleapis.com, gkehub.googleapis.com
|
Details
|
The API for Google Kubernetes Engine can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Google Kubernetes Engine, refer to the
product documentation.
|
Limitations
|
- Only private clusters can be protected using VPC Service Controls. Clusters with
public IP addresses are not supported by VPC Service Controls.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudresourcemanager.googleapis.com
beta
|
Details
|
The API for Resource Manager can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Resource Manager, refer to the
product documentation.
|
Limitations
|
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
logging.googleapis.com
|
Details
|
Because VPC Service Controls doesn't support Folder and Organization resources,
Folder-level and Organization-level logs are not protected
by VPC Service Controls. For more information, refer to the known service
limitations.
For more information about Cloud Logging, refer to the
product documentation.
|
Limitations
|
Aggregated export sinks (folder or organization sinks where
includeChildren is true ) can access data from projects inside a service
perimeter. We recommend that IAM is used to manage
Logging permissions at the folder and organization level.
Because VPC Service Controls does not currently support folder and
organization resources, log exports of folder-level and organization-level
logs (including aggregate logs) do not support service perimeters. We
recommend that IAM is used to restrict exports to the service
accounts required to interact with the perimeter-protected services.
To set up an organization or folder log export to a resource protected by
a service perimeter, you must add the service account for that log sink to an
access level and then assign it to the destination service perimeter.
This is not necessary for project-level log exports.
For more information, refer to the following pages:
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
monitoring.googleapis.com
|
Details
|
The API for Cloud Monitoring can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Monitoring, refer to the
product documentation.
|
Limitations
|
Notification channels, alerting policies, and custom metrics can be used
together to exfiltrate data/metadata. As of today, a user of
Monitoring can set up a notification channel that points to
an entity outside of the organization e.g. "baduser@badcompany.com". The
user then sets up custom metrics and corresponding alert policies that
utilize the notification channel. As a result, by manipulating the custom
metrics, the user can trigger alerts and send alert firing notifications,
exfiltrating sensitive data to baduser@badcompany.com, outside of
the VPC Service Controls perimeter.
While
Monitoring in Google Cloud Console
supports VPC Service Controls, VPC Service Controls for the classic
Cloud Monitoring console are not fully supported.
Any Compute Engine or AWS VMs with the
Monitoring Agent
installed must be inside the VPC Service Controls perimeter or agent
metric writes will fail.
Any GKE Pods must be inside the
VPC Service Controls perimeter or
GKE Monitoring will not work.
When querying metrics for a workspace only the
VPC Service Controls perimeter of the workspace's host _project_ is
considered, not the perimeters of the individual monitored _projects_
in the workspace.
A project can only be added as a monitored _project_ to an existing
workspace if that project is in the same
VPC Service Controls perimeter as the workspace's host _project_.
To access Monitoring in the Cloud Console for a host
project that is protected by a service perimeter,
use access levels.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudprofiler.googleapis.com
|
Details
|
The API for Cloud Profiler can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Profiler, refer to the
product documentation.
|
Limitations
|
The Cloud Profiler integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudtrace.googleapis.com
|
Details
|
The API for Cloud Trace can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Trace, refer to the
product documentation.
|
Limitations
|
The Cloud Trace integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
tpu.googleapis.com
|
Details
|
The API for Cloud TPU can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud TPU, refer to the
product documentation.
|
Limitations
|
The Cloud TPU integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
language.googleapis.com
|
Details
|
The API for Natural Language API can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Natural Language API, refer to the
product documentation.
|
Limitations
|
The Natural Language API integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
cloudasset.googleapis.com
|
Details
|
Because VPC Service Controls doesn't support Folder and Organization resources,
access to assets via Cloud Asset API at the Folder or Organization level is
not protected by VPC Service Controls. For more information, refer to the known service
limitations.
For more information about Cloud Asset API, refer to the
product documentation.
|
Limitations
|
- When calling Cloud Asset API at the Folder or Organization level, data from
projects inside a service perimeter that belongs to the folder or
organization can still be accessed. We recommend that IAM is
used to manage Cloud Asset Inventory permissions at the folder and organization
level.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
speech.googleapis.com
|
Details
|
The API for Speech-to-Text can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Speech-to-Text, refer to the
product documentation.
|
Limitations
|
The Speech-to-Text integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
texttospeech.googleapis.com
|
Details
|
The API for Text-to-Speech can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Text-to-Speech, refer to the
product documentation.
|
Limitations
|
The Text-to-Speech integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
translate.googleapis.com
|
Details
|
The API for Translation can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Translation, refer to the
product documentation.
|
Limitations
|
The Translation integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
accessapproval.googleapis.com
beta
|
Details
|
The API for Access Approval can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Access Approval, refer to the
product documentation.
|
Limitations
|
The Access Approval integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
healthcare.googleapis.com
beta
|
Details
|
The API for Cloud Healthcare API can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Cloud Healthcare API, refer to the
product documentation.
|
Limitations
|
The Cloud Healthcare API integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
storagetransfer.googleapis.com
|
Details
|
We recommend placing your STS project within the same
service perimeter as your Cloud Storage
resources. This protects both your transfer and your
Cloud Storage resources. Storage Transfer Service also
supports scenarios where the Storage Transfer Service project is
not in the same perimeter as your Cloud Storage buckets,
using either a perimeter bridge or access levels.
For setup information, see
Using
Storage Transfer Service with VPC Service Controls
Transfer service for on-premises data
During Beta, Transfer service for on-premises data (Transfer for on-premises) supports
VPC Service Controls for transfer payloads only. This includes
scenarios where Transfer for on-premises agents are added to an
access level
that allows them to access resources in the perimeter, or
when Transfer for on-premises agents are within a perimeter shared
with target Cloud Storage buckets and Transfer service for on-premises data jobs.
For more information, see
Using Transfer for on-premises
with VPC Service Controls.
File metadata, such as object names, are not guaranteed to stay
within the perimeter. For more information, see
VPC Service Controls and metadata.
For more information about Storage Transfer Service, refer to the
product documentation.
|
Limitations
|
- Transfer service for on-premises data doesn't offer an API, and therefore does not
support API-related features in VPC Service Controls.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
servicecontrol.googleapis.com
|
Details
|
The API for Service Control can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Service Control, refer to the
product documentation.
|
Limitations
|
- When you call the Service Control API from a VPC network in a service
perimeter with Service Control restricted, you can't use the
Service Control report
method to report billing and analytics metrics.
|
|
|
Status
|
GA. This product integration is fully supported by VPC Service Controls.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
redis.googleapis.com
|
Details
|
The API for Memorystore for Redis can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Memorystore for Redis, refer to the
product documentation.
|
Limitations
|
Service perimeters protect only the Memorystore for Redis API. Perimeters
do not protect normal data access on Memorystore for Redis instances
within the same network.
If the Cloud Storage API is also protected, then
Memorystore for Redis import and export operations can only read and
write to a Cloud Storage bucket within the same service perimeter as
the Memorystore for Redis instance.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
servicedirectory.googleapis.com
beta
|
Details
|
The API for Service Directory can be protected by VPC Service Controls and the product can be
used normally inside service perimeters.
For more information about Service Directory, refer to the
product documentation.
|
Limitations
|
The Service Directory integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
No. The API for Transfer Appliance cannot be protected by service perimeters.
However, Transfer Appliance can be used normally in projects inside a perimeter.
|
Details
|
Transfer Appliance is fully supported for projects using
VPC Service Controls.
Transfer Appliance doesn't offer an API, and therefore does
not support API-related features in VPC Service Controls.
For more information about Transfer Appliance, refer to the
product documentation.
|
Limitations
|
-
When Cloud Storage is protected by VPC Service Controls, the
Cloud KMS key you share with the Transfer Appliance
Team must be within the same project as the destination
Cloud Storage bucket.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
oslogin.googleapis.com
|
Details
|
You can call the OS Login API from within VPC Service Controls perimeters. To manage
OS Login from within VPC Service Controls perimeters,
set up OS Login.
SSH connections to VM instances are not protected by VPC Service Controls.
For more information about OS Login, refer to the
product documentation.
|
Limitations
|
The OS Login integration with VPC Service Controls has no known limitations.
|
|
|
Status
|
Beta. This product integration is ready for broader testing and use, but is
not fully supported for production environments.
|
Protect with perimeters?
|
Yes. You can configure your perimeters to protect this service.
|
Service address
|
osconfig.googleapis.com
|
Details
|
You can call the OS Config API from within VPC Service Controls perimeters. To use
VM Manager from within VPC Service Controls perimeters,
set up VM Manager.
For more information about VM Manager, refer to the
product documentation.
|
Limitations
|
To fully protect VM Manager, you must include all of the following APIs in
your perimeter:
- OS Config API (
osconfig.googleapis.com )
- Compute Engine API (
compute.googleapis.com )
- Container Analysis API (
containeranalysis.googleapis.com )
|
|