Supported products and limitations

This page contains a table of products and services that are supported by VPC Service Controls, as well as a list of known limitations with certain services and interfaces.

Supported products

VPC Service Controls supports the following products:

Supported products

AI Platform Training

Details

VPC Service Controls supports AI Platform Training jobs, but it does not support AI Platform Prediction (batch prediction or online prediction), even though the two products share a single API.

Limitations Known limitations

AI Platform Notebooks

Details

None

Limitations Known limitations

Anthos Service Mesh

Details

VPC Service Controls perimeters can only protect the Cloud Service Mesh Certificate Authority API. You can add a service perimeter to protect your Identity Namespace.

Artifact Registry

Details

In addition to protecting the Artifact Registry API, Artifact Registry is supported for VPC Service Controls use with GKE and Compute Engine.

Limitations Known limitations

AutoML Natural Language

Details

None

AutoML Tables

Details

None

AutoML Translation

Details

None

AutoML Video Intelligence

Details

None

AutoML Vision

Details

None

BigQuery

Details

When you protect the BigQuery API using a service perimeter, the BigQuery Storage API is also protected. You do not need to separately add the BigQuery Storage API to your perimeter's list of protected services.

Limitations Known limitations

Cloud Bigtable

Details

None

Cloud Data Fusion

Details

Cloud Data Fusion requires some special steps to protect using VPC Service Controls.

Limitations Known limitations

Compute Engine

Details

VPC Service Controls support for Compute Engine enables you to utilize Virtual Private Cloud networks and Google Kubernetes Engine private clusters inside service perimeters.

Limitations Known limitations

Dataflow

Details

Dataflow supports a number of storage service connectors. The following connectors have been verified to work with Dataflow inside a service perimeter:

Limitations Known limitations

Dataproc

Details

Dataproc requires some special steps to protect using VPC Service Controls.

Limitations Known limitations

Cloud Data Loss Prevention

Details

None

Cloud Functions

Details

See the Cloud Functions documentation for setup steps. VPC Service Controls protection does not apply for the build phase when Cloud Functions are built using Cloud Build. VPC Service Controls protection applies for all function triggers except Firebase Realtime Database triggers and Firebase Crashlytics triggers. For more details, see the known limitations.

Limitations Known limitations

Cloud Key Management Service

Details

None

Managed Service for Microsoft Active Directory

Details

Additional configuration required for:

Secret Manager

Details

None

Pub/Sub

Details

VPC Service Controls protection applies to all subscriber operations except existing push subscriptions.

Limitations Known limitations

Cloud Spanner

Details

None

Cloud Storage

Details

None

Limitations Known limitations

Cloud SQL

Details

VPC Service Controls perimeters protect the Cloud SQL Admin API.

Limitations Known limitations

Video Intelligence API

Details

None

Cloud Vision API

Details

None

Container Registry

Details

In addition to protecting the Container Registry API, Container Registry is supported for VPC Service Controls use with GKE and Compute Engine.

Limitations Known limitations

Google Kubernetes Engine

Details

None

Resource Manager

Details

None

Limitations Known limitations

Cloud Logging

Details

While VPC Service Controls protects most types of logs, VPC Service Controls doesn't yet support Folder and Organization resources. Because of this, Folder-level and Organization-level logs are not protected by VPC Service Controls. For more information, refer to the known service limitations.

Limitations Known limitations

Cloud Monitoring

Details

None

Limitations Known limitations

Cloud Profiler

Details

None

Cloud Trace

Details

None

Cloud TPU

Details

None

Natural Language API

Details

None

Cloud Asset API

Details

Because VPC Service Controls doesn't yet support Folder and Organization resources, access to assets via Cloud Asset API at the folder or organizational level is not protected by VPC Service Controls. For more information, refer to the known service limitations.

Limitations Known limitations

Text-to-Speech

Details

None

Translation

Details

None

Access Approval

Details

None

Cloud Healthcare API

Details

None

Limitations Known limitations

For more information, read about supported and unsupported services.

APIs and service perimeters

Not all products that are supported by VPC Service Controls have a service that can be protected by a service perimeter. Only the following APIs can be protected with a perimeter:

APIs and service addresses
Access Approval API accessapproval.googleapis.com
AI Platform Training and Prediction API ml.googleapis.com
Artifact Registry API artifactregistry.googleapis.com
AutoML API automl.googleapis.com
eu-automl.googleapis.com
BigQuery API bigquery.googleapis.com
Cloud Bigtable API bigtable.googleapis.com
Cloud Asset Inventory API cloudasset.googleapis.com
Cloud Data Fusion API datafusion.googleapis.com
Dataflow API dataflow.googleapis.com
Dataproc API dataproc.googleapis.com
Cloud Data Loss Prevention API dlp.googleapis.com
Cloud Functions API cloudfunctions.googleapis.com
Cloud Key Management Service API cloudkms.googleapis.com
Secret Manager API secretmanager.googleapis.com
Cloud Natural Language API language.googleapis.com
Managed Service for Microsoft Active Directory API managedidentities.googleapis.com
Pub/Sub API pubsub.googleapis.com
Cloud Service Mesh Certificate Authority API meshca.googleapis.com
Cloud Spanner API spanner.googleapis.com
Cloud Storage API storage.googleapis.com
Cloud SQL API sqladmin.googleapis.com
Cloud Vision API vision.googleapis.com
Container Registry API containerregistry.googleapis.com
Google Kubernetes Engine API container.googleapis.com
GKE Connect API gkeconnect.googleapis.com
GKE Hub API gkehub.googleapis.com
Resource Manager API cloudresourcemanager.googleapis.com
Cloud Logging API logging.googleapis.com
Cloud Monitoring API monitoring.googleapis.com
Cloud Profiler API profiler.googleapis.com
Text-to-Speech API texttospeech.googleapis.com
Cloud Translation API translate.googleapis.com
Cloud Trace API cloudtrace.googleapis.com
Cloud TPU API tpu.googleapis.com
Video Intelligence API videointelligence.googleapis.com
Cloud Healthcare API healthcare.googleapis.com

Unsupported services

Attempting to restrict an unsupported service using the gcloud command-line tool or the Access Context Manager API will result in an error.

Cross-project access to data of supported services will be blocked by VPC Service Controls. Additionally, the restricted VIP can be used to block the ability of workloads to call unsupported services.

Known limitations

This section describes known limitations with certain Google Cloud services, products, and interfaces that can be encountered when using VPC Service Controls.

For more information on resolving issues with VPC Service Controls, refer to the Troubleshooting page.

AI Platform Training

  • To fully protect your AI Platform Training training jobs, add all of the following APIs to the service perimeter:

    • AI Platform Training and Prediction API (ml.googleapis.com)
    • Pub/Sub API (pubsub.googleapis.com)
    • Cloud Storage API (storage.googleapis.com)
    • Google Kubernetes Engine API (container.googleapis.com)
    • Container Registry API (containerregistry.googleapis.com)
    • Cloud Logging API (logging.googleapis.com)

    Read more about setting up VPC Service Controls for AI Platform Training.

  • Training with TPUs is not supported when you use AI Platform Training inside a service perimeter.

  • When you protect the AI Platform Training and Prediction API by using a service perimeter, you only protect AI Platform Training, not AI Platform Prediction. However, some AI Platform Prediction functionality is disabled.

AI Platform Notebooks

  • To use AI Platform Notebooks within a VPC Service Controls service perimeter, you must add or configure several DNS entries to point the following domains to the restricted VIP:

    • *.notebooks.googleapis.com
    • *.datalab.cloud.google.com
    • *.notebooks.cloud.google.com
    • *.notebooks.googleusercontent.com

App Engine

  • App Engine (both standard environment and flexible environment) is not supported by VPC Service Controls. Do not include App Engine projects in service perimeters.

    However, it is possible to allow App Engine apps created in projects outside service perimeters to read and write data to protected services inside perimeters. To allow your app to access the data of protected services, create an access level that includes the project's App Engine service account. This does not enable App Engine to be used inside service perimeters.

Artifact Registry

Because it is not using the googleapis.com domain, Artifact Registry must be configured via Private DNS or BIND to map to the restricted VIP separately from other APIs. For more information, see Securing repositories in a service perimeter.

BigQuery

  • VPC Service Controls does not support copying BigQuery resources protected by a service perimeter to another organization. Access levels do not enable you to copy across organizations.

    To copy protected BigQuery resources to another organization, download the dataset (for example, as a CSV file), and then upload that file to the other organization.

  • The BigQuery Data Transfer Service is supported only for the following services:

    • Campaign Manager
    • Google Ad Manager
    • Google Ads
    • Google Cloud Storage
    • Google Merchant Center
    • Google Play
    • YouTube
  • The BigQuery Classic Web UI is not supported. A BigQuery instance protected by a service perimeter cannot be accessed with the BigQuery Classic Web UI.

  • The third-party ODBC driver for BigQuery cannot currently be used with the restricted VIP.

  • BigQuery audit log records do not always include all resources that were used when a request is made, due to the service internally processing access to multiple resources.

  • When using a service account to access a BigQuery instance protected by a service perimeter, the BigQuery job must be run within a project inside the perimeter. By default, the BigQuery client libraries will run jobs within the service account or user's project, causing the query to be rejected by VPC Service Controls.

Client libraries

  • The Java and Python client libraries for all supported services are fully supported for access using the restricted VIP. Support for others language is at Alpha stage and should be used for testing purposes only.

  • Clients must use client libraries that have been updated as of November 1, 2018 or later.

  • Service account keys or OAuth2 client metadata used by clients must be updated as of November 1, 2018 or later. Older clients using the token endpoint must change to the endpoint specified in newer key material/client metadata.

Cloud Billing

Cloud Build

  • Cloud Build is not supported by VPC Service Controls. Do not use Cloud Build inside service perimeters.

    However, it is possible to allow Cloud Build in projects outside service perimeters to read and write data to protected services inside perimeters. To allow Cloud Build to access the data of protected services, create an access level that includes the project's Cloud Build service account. This does not enable Cloud Build to be used inside service perimeters.

Cloud Composer

  • Cloud Composer is not supported by VPC Service Controls. Do not use Cloud Composer inside service perimeters.

    To allow Cloud Composer to access resources inside a service perimeter, enable Cloud Composer in a project outside any service perimeter. Then, create and apply an access level to the perimeter that allows requests from the service account for your Cloud Composer environment.

Cloud Data Fusion

  • If you create Cloud Data Fusion instances with a private IP address, you can further protect them using VPC Service Controls. Create your Cloud Data Fusion private instances in Google Cloud projects that are within your service perimeters. Within a private instance, plugins packaged with the instance follow the restrictions applied by the service perimeter.

  • Cloud Data Fusion pipelines are executed on Dataproc clusters. To protect a Dataproc cluster launched within the service perimeter, it must have an internal private IP address only (no public IP address) and be in the same private VPC network as your Cloud Data Fusion instance. A Cloud Data Fusion instance with a private IP address will by default create a Dataproc cluster with an internal private IP address during Cloud Data Fusion pipeline execution.

  • Don't use plugins that use Google Cloud APIs that are not supported by VPC Service Controls. If you do use such plugins, Cloud Data Fusion will block the API calls, resulting in pipeline preview and execution failure.

Dataflow

  • Custom BIND and the restricted.googleapis.com VIP cannot be used for Dataflow because DNS resolution of Dataflow can't be customized.
  • Not all storage service connectors have been verified to work when used with Dataflow inside a service perimeter. For a list of verified connectors, see the Dataflow details.

Dataproc

  • To protect a Dataproc cluster with a service perimeter, you must follow the instructions for setting up private connectivity to allow the cluster to function inside the perimeter.

  • Cloud Dataproc Component Gateway does not support VPC Service Controls.

Cloud Functions

  • Cloud Functions uses Cloud Build to build your source code into a runnable container. In order to use Cloud Functions inside a service perimeter, you must configure an access level for the Cloud Build Service Account in your service perimeter.

  • To allow your functions to use external dependencies such as npm packages, Cloud Build has unlimited internet access. This internet access could be used to exfiltrate data that is available at build time, such as your uploaded source code. If you want to mitigate this exfiltration vector, we recommend that you only allow trusted developers to deploy functions. Do not grant Cloud Functions Owner, Editor, or Developer IAM roles to untrusted developers.

  • For Firebase Realtime Database triggers and Firebase Crashlytics triggers, a user could deploy a function that could be triggered by changes to a Firebase Realtime Database or Firebase Crashlytics in a different project outside the service perimeter of the project in which the function is deployed. If you want to mitigate the exfiltration vector for these two triggers, we recommend that you only allow trusted developers to deploy functions. Do not grant Cloud Functions Owner, Editor, or Developer IAM roles to untrusted developers.

Pub/Sub

  • In projects protected by a service perimeter, new push subscriptions cannot be created.
  • Pub/Sub push subscriptions created prior to the service perimeter will not be blocked.

Cloud Shell

  • Cloud Shell is not supported. It is treated as outside of service perimeters and denied access to data protected by VPC Service Controls.

Cloud Storage

  • When using the Requester Pays feature with a storage bucket inside a service perimeter that protects the Cloud Storage service, you cannot identify a project to pay that is outside the perimeter. The target project must be in the same perimeter as the storage bucket or in a perimeter bridge with the bucket's project.

    For more information about Requester Pays, see the Requester Pays use and access requirements.

  • For projects in a service perimeter, the Cloud Storage page in the Cloud Console is not accessible if the Cloud Storage API is protected by that perimeter. If you want to grant access to the page, you must create an access level that includes either the user accounts or a public IP range that you want to allow to access the Cloud Storage API.

  • In audit log records, the resourceName field does not identify the project that owns a bucket. The project must be discovered separately.

  • In audit log records, the value for methodName is not always correct. We recommend that you do not filter Cloud Storage audit log records by methodName.

  • In certain cases, Cloud Storage legacy bucket logs can be written to destinations outside of a service perimeter even when access is denied.

  • When you attempt to use gsutil for the first time in a new project, you may be prompted to enable the storage-api.googleapis.com service. While you cannot directly protect storage-api.googleapis.com, when you protect the Cloud Storage API using a service perimeter, gsutil operations are also protected.

Compute Engine

  • Currently, you cannot protect the Compute Engine API using a service perimeter.

  • To enable creating a Compute Engine image from a Cloud Storage in a project protected by a service perimeter, the user that is creating the image should be added temporarily to an access level for the perimeter.

  • Using Kubernetes with Compute Engine inside a service perimeter is not supported by VPC Service Controls.

Container Registry

  • Because it is not using the googleapis.com domain, Container Registry must be configured via Private DNS or BIND to map to the restricted VIP separately from other APIs. For more information, see Securing Container Registry in a service perimeter.

  • In addition to the containers inside a perimeter that are available to Container Registry, the following read-only Google-managed repositories are available to all projects regardless of service perimeters:

    • gcr.io/asci-toolchain
    • gcr.io/cloud-airflow-releaser
    • gcr.io/cloud-builders
    • gcr.io/cloud-dataflow
    • gcr.io/cloud-marketplace
    • gcr.io/cloud-ssa
    • gcr.io/cloudsql-docker
    • gcr.io/config-management-release
    • gcr.io/foundry-dev
    • gcr.io/fn-img
    • gcr.io/gke-node-images
    • gcr.io/gke-release
    • gcr.io/google-containers
    • gcr.io/kubeflow
    • gcr.io/kubeflow-images-public
    • gcr.io/kubernetes-helm
    • gcr.io/istio-release
    • gcr.io/ml-pipeline
    • gcr.io/projectcalico-org
    • gcr.io/rbe-containers
    • gcr.io/rbe-windows-test-images
    • gcr.io/speckle-umbrella
    • gcr.io/stackdriver-agents
    • gcr.io/tensorflow
    • gke.gcr.io
    • k8s.gcr.io
    • mirror.gcr.io

    In all cases, the regional versions of these repositories are also available.

Google Cloud Console

  • Because the Cloud Console is only accessible over the internet, it is treated as outside of service perimeters. When you apply a service perimeter, the Cloud Console interface for the services that you protected may become partially or fully inaccessible. For example, if you protected Logging with the perimeter, you will not be able to access the Logging interface in the Cloud Console.

    To allow access from the Cloud Console to resources protected by a perimeter, you need to create an access level for a public IP range that includes the machines of users who want to use the Cloud Console with protected APIs. For example, you could add the public IP range of the NAT gateway of your private network to an access level, and then assign that access level to the service perimeter.

    If you want to limit Cloud Console access to the perimeter to only a specific set of users, you can also add those users to an access level. In that case, only the specified users would be able to access the Cloud Console.

Resource Manager

Cloud Logging

  • Aggregated export sinks (folder or organization sinks where includeChildren is true) can access data from projects inside a service perimeter. We recommend that Cloud IAM is used to manage Logging permissions at the folder and organization level.

  • Because VPC Service Controls does not currently support folder and organization resources, log exports of folder-level and organization-level logs (including aggregate logs) do not support service perimeters. We recommend that Cloud IAM is used to restrict exports to the service accounts required to interact with the perimeter-protected services.

  • To set up an organization or folder log export to a resource protected by a service perimeter, you must add the service account for that log sink to an access level and then assign it to the destination service perimeter. This is not necessary for project-level log exports.

    For more information, refer to the following pages:

Cloud Monitoring

  • Notification channels, alerting policies, and custom metrics can be used together to exfiltrate data/metadata. As of today, a user of Monitoring can set up a notification channel that points to an entity outside of the organization e.g. "baduser@badcompany.com". The user then sets up custom metrics and corresponding alert policies that utilize the notification channel. As a result, by manipulating the custom metrics, the user can trigger alerts and send alert firing notifications, exfiltrating sensitive data to baduser@badcompany.com, outside of the VPC Service Controls perimeter.

  • While Monitoring in Google Cloud Console supports VPC Service Controls, VPC Service Controls for the classic Cloud Monitoring console are not fully supported.

  • Any Compute Engine or AWS VMs with the Monitoring Agent installed must be inside the VPC Service Controls perimeter or agent metric writes will fail.

  • Any GKE Pods must be inside the VPC Service Controls perimeter or GKE Monitoring will not work.

  • When querying metrics for a workspace only the VPC Service Controls perimeter of the workspace's host project is considered, not the perimeters of the individual monitored projects in the workspace.

  • A project can only be added as a monitored project to an existing workspace if that project is in the same VPC Service Controls perimeter as the workspace's host project.

  • To access Monitoring in the Cloud Console for a host project that is protected by a service perimeter, use access levels.

Cloud Asset API

  • When calling Cloud Asset API at the Folder or Organization level, data from projects inside a service perimeter that belongs to the folder or organization can still be accessed. We recommend that Cloud IAM is used to manage Cloud Asset Inventory permissions at the folder and organization level.

Cloud SQL

  • Service perimeters protect only the Cloud SQL Admin API. They do not protect IP-based data access to Cloud SQL instances. You need to use an organization policy constraint to restrict public IP access on Cloud SQL instances.

  • Cloud SQL imports and exports can only perform reads and writes from a Cloud Storage bucket within the same service perimeter as the Cloud SQL replica instance. In the external server migration flow, you need to add the Cloud Storage bucket to the same service perimeter. When creating a key flow for CMEK, you need to create the key in the same service perimeter as the resources that use it. Note: When restoring an instance from a backup, the target instance need to reside in the same service perimeter as the backup.

Cloud Healthcare API

When the Cloud Healthcare API is protected by a service perimeter, you can't export from FHIR stores to BigQuery.