VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter that creates a data transfer boundary around Google Cloud resources. VPC Service Controls provides more security for your App Hub resources such as mitigating the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that protect applications, services, and workloads from requests that cross the perimeter.
App Hub resources are exposed on the
apphub.googleapis.com API, which lets you perform
operations, such as creation and deletion of applications, services, and
workloads. You can set up VPC Service Controls with App Hub
by restricting connectivity to this API surface.
We recommend that you protect all App Hub resources when creating a service perimeter.
App Hub supports the following resource types:
- Application
- Discovered service
- Discovered workload
- Service
- Service project attachment (only for applications managed by a host project)
- Workload
Applications in an app-enabled folder
When you enable application management on a folder, the following actions occur:
- Google creates a Google-managed project in the folder called a management project.
- The system enables the required APIs for application management on that project. Some APIs that the system enables are directly related to application management. The remaining APIs are dependencies.
If you want to include the management project in a service perimeter, include the enabled APIs that support VPC Service Controls. For more information, see Create a service perimeter.
APIs enabled on a management project
The following tables list APIs that are automatically enabled for a management project. If a product supports VPC Service Controls, review the linked documentation for more information, such as limitations or additional configuration requirements.
APIs involved in designing, building, and deploying applications
APIs in this table include App Hub, Application Design Center, and dependencies used to build applications, deploy applications, and store application data.
Resource Manager is required for enabling and managing app-enabled folders.
| API | VPC Service Controls support |
|---|---|
App Hub API (apphub.googleapis.com) |
Details |
App Design Center API (designcenter.googleapis.com) |
|
Artifact Registry API (artifactregistry.googleapis.com) |
Details |
Cloud Asset API (cloudasset.googleapis.com) |
Details |
Cloud Build API (cloudbuild.googleapis.com) |
Details |
Cloud Resource Manager API (cloudresourcemanager.googleapis.com) |
Details |
Infrastructure Manager API (config.googleapis.com) |
Details |
Container Registry API (containerregistry.googleapis.com) |
Details |
Identity and Access Management API (iam.googleapis.com) |
Details |
IAM Service Account Credentials API (iamcredentials.googleapis.com) |
Details |
Google Cloud Observability APIs
| API | VPC Service Controls support |
|---|---|
Cloud Logging (logging.googleapis.com) |
Details |
Cloud Monitoring (monitoring.googleapis.com) |
Details |
Cloud Trace (cloudtrace.googleapis.com) |
Details |
Google Cloud Observability dependencies
Some Logging and Cloud Monitoring features require other product APIs.
The Dataform and Dataplex APIs are BigQuery dependencies.
| API | VPC Service Controls support |
|---|---|
BigQuery API (bigquery.googleapis.com) |
Details |
Analytics Hub API (analyticshub.googleapis.com) (API for BigQuery sharing) |
Details |
BigQuery Connection API (bigqueryconnection.googleapis.com) |
Details |
BigQuery Data Policy API (bigquerydatapolicy.googleapis.com) |
Details |
BigQuery Migration API (bigquerymigration.googleapis.com) |
Details |
BigQuery Reservation API (bigqueryreservation.googleapis.com) |
Details |
BigQuery Storage API (bigquerystorage.googleapis.com) |
Details |
Dataform API (dataform.googleapis.com) |
Details |
Dataplex API (dataplex.googleapis.com) |
Details |
Cloud Functions API (cloudfunctions.googleapis.com) |
Details |
Cloud Storage API (storage.googleapis.com) |
Details |
Cloud Storage (storage-api.googleapis.com) |
|
Cloud Storage JSON API (storage-component.googleapis.com) |
|
Pub/Sub API (pubsub.googleapis.com) |
Details |
APIs that provide resource data about resources
| API | VPC Service Controls support |
|---|---|
Cloud Quotas API (cloudquotas.googleapis.com) |
Details |
Service Health API (servicehealth.googleapis.com) |
Details |
Gemini Cloud Assist
| API | VPC Service Controls support |
|---|---|
Gemini for Google Cloud API (cloudaicompanion.googleapis.com) |
Details |
Applications managed by a host project
You must set up VPC Service Controls on the App Hub host and service projects before you create an application and register services and workloads to the application. For more information, see Create a service perimeter.
What's next
To learn more about VPC Service Controls, see the overview and supported products and limitations.
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls.
For best practices for designing service perimeters, see Design and architect service perimeters.
To set up a service perimeter, see Create a service perimeter.