Supported products and limitations (original) (raw)

Skip to main content

• Technology areas

  • Overview
  • Guides
  • Reference
  • Resources

• Cross-product tools

• Console

• Discover

• Product overview

• Supported products

• Services supported by the restricted VIP

• Get started

• Access control with IAM

• Best practices for enabling VPC Service Controls

• Set up a perimeter using Google Cloud console

• Add projects to a perimeter using Terraform

• Set up a VPC Service Controls perimeter for a Virtual Private Cloud network

• Create and test service perimeters

• Service perimeter overview

• Design and architect perimeters

• Create a perimeter

• Control access using service perimeters

• VPC accessible services overview

• Design access levels

• Use ingress and egress rules

  • Ingress and egress rules overview
  • Supported identities for ingress and egress rules
  • Configure ingress and egress rules
  • Configure identity groups and third-party identities
  • Example of using identity groups and third-party identities
  • Configure IAM roles
  • Secure data exchange with ingress and egress rules
  • Context-aware access with ingress rules

• Allow access to protected resources from outside a perimeter

• Allow access to protected resources from an internal IP address

• Tutorial: Protect Compute Engine using a perimeter

• Control access

• Create custom constraints

• Enable communication across service perimeters

• Perimeter bridge overview

• Create a perimeter bridge

• Configure private connectivity

• Private Google Access with VPC Service Controls

• Set up private connectivity to Google APIs and services

• Monitor

• Audit logging

• Set up and view violation dashboard

• Troubleshoot

• Retrieve errors from audit logs

• Diagnose denials and view comprehensive reports

• Diagnose denials and view classic reports

• Troubleshoot common issues

• Troubleshoot issues with other services

Supported products and limitations

This page contains a table of products and services that are supported byVPC Service Controls, as well as a list of known limitations with certain services and interfaces.

List all supported services

To retrieve the complete list of all VPC Service Controls supported products and services, run the following command:

gcloud access-context-manager supported-services list

You get a response with a list of products and services.

NAME TITLE SERVICE_SUPPORT_STAGE AVAILABLE_ON_RESTRICTED_VIP KNOWN_LIMITATIONS SERVICE_ADDRESS SERVICE_NAME SERVICE_STATUS RESTRICTED_VIP_STATUS LIMITATIONS_STATUS . . .

This response includes the following values:

List supported methods for a service

To retrieve the list of methods and permissions supported by VPC Service Controls for a service, run the following command:

gcloud access-context-manager supported-services describe SERVICE_ADDRESS

Replace SERVICE_ADDRESS with the service name of the product or service. For example, aiplatform.googleapis.com.

You get a response with a list of methods and permissions.

availableOnRestrictedVip: RESTRICTED_VIP_STATUS knownLimitations: LIMITATIONS_STATUS name: SERVICE_ADDRESS serviceSupportStage: SERVICE_STATUS supportedMethods: METHODS_LIST . . . title: SERVICE_NAME

In this response, METHODS_LIST lists all the methods and permissions supported by VPC Service Controls for the specified service. For a complete list of all the supported service methods and permissions, seeSupported service method restrictions.

For information about the service methods that VPC Service Controls can't control, see Service method exceptions.

VPC Service Controls supports the following products:

For more information, read aboutsupported and unsupported services.

Restricted VIP supported services

The restricted virtual IP (VIP) provides a way for VMs that are inside a service perimeter to make calls to Google Cloud services without exposing the requests to the internet. For a complete list of the services available on the restricted VIP, seeServices supported by the restricted VIP.

Unsupported services

Attempting to restrict an unsupported service using the gcloud command-line tool or the Access Context Manager API will result in an error.

Cross-project access to data of supported services will be blocked by VPC Service Controls. Additionally, the restricted VIP can be used to block the ability of workloads to call unsupported services.

Other known limitations

This section describes known limitations with certain Google Cloud services, products, and interfaces that can be encountered when using VPC Service Controls.

For limitations with products that are supported by VPC Service Controls, refer to the Supported Products table.

For more information about resolving issues with VPC Service Controls, refer to the Troubleshooting page.

AutoML API

When you use the AutoML API with VPC Service Controls, the following limitations apply:

• You cannot add the supported regional endpoints, such as eu-automl.googleapis.com, to the list of restricted services in a perimeter. When you protect the automl.googleapis.com service, the perimeter protects the supported regional endpoints, such as eu-automl.googleapis.com, as well.
• When you use a service perimeter to protectautoml.googleapis.com, access to all of the AutoML products that are integrated with VPC Service Controls and used inside the perimeter are impacted. You must configure your VPC Service Controls perimeter for all integrated AutoML products that are used inside that perimeter.
  To fully protect the AutoML API, include all of the following APIs in your perimeter:
  • AutoML API (automl.googleapis.com)
  • Cloud Storage API (storage.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • BigQuery API (bigquery.googleapis.com)

App Engine

• App Engine (both standard environment and flexible environment) is not supported by VPC Service Controls. Don't include App Engine projects in service perimeters.
  However, it is possible to allow App Engine apps created in projects_outside_ service perimeters to read and write data to protected services_inside_ perimeters. To allow your app to access the data of protected services,create an access levelthat includes the project's App Engine service account. This does not enable App Engine to be used inside service perimeters.

Bare Metal Solution

• Connecting VPC Service Controls to your Bare Metal Solution environment doesn't uphold any service control guarantees.
• The Bare Metal Solution API can be added to a secure perimeter. However, the VPC Service Controls perimeters don't extend to the Bare Metal Solution environment in the regional extensions.

Blockchain Node Engine

• VPC Service Controls only protects the Blockchain Node Engine API. When a node is created, you must still indicate that it is meant for a user-configured private network withPrivate Service Connect.
• The peer-to-peer traffic is not affected by VPC Service Controls or Private Service Connect and will continue to use the public internet.

Client libraries

• Clients must use client libraries that have been updated as of November 1, 2018 or later.
• Service account keys or OAuth2 client metadata used by clients must be updated as of November 1, 2018 or later. Older clients using the token endpoint must change to the endpoint specified in newer key material or client metadata.

Cloud Billing

• VPC Service Controls doesn't support Cloud Billing. You can export Cloud Billing data to a Cloud Storage bucket or BigQuery instance in a project that is protected by a service perimeter without configuring an access level or ingress rule.

Cloud Deployment Manager

• Deployment Manager is not supported by VPC Service Controls. Users may be able to call into services that are compliant with VPC Service Controls, but they shouldn't rely on this because it might break.
• As a workaround, you can add the Deployment Manager service account (PROJECT_NUMBER@cloudservices.gserviceaccount.com) to the access levels to allow calls to APIs protected by VPC Service Controls.

Cloud Shell

VPC Service Controls doesn't support Cloud Shell. VPC Service Controls treats Cloud Shell as outside of service perimeters and denies access to data that VPC Service Controls protects. However, VPC Service Controls allows access to Cloud Shell if a device that meets theaccess level requirements of the service perimeter initiates Cloud Shell.

Gemini Cloud Assist

VPC Service Controls support for the Gemini Cloud Assist investigations (Preview) feature will be deprecated starting on April 13, 2026. This change will roll out over the course of one week. Access to Gemini Cloud Assist investigations (Preview) from within a VPC Service Controls perimeter is blocked. To continue using this feature, you must make requests from outside any VPC Service Controls perimeter. For more information, seeDeprecated VPC Service Controls support for Gemini Cloud Assist investigations.

Firebase

• If your project is within a perimeter that restricts apikeys.googleapis.com, enabling Firebase on the project results in a NO_MATCHING_ACCESS_LEVELviolation. To resolve this violation, create an ingress rulethat grants the Firebase service accountsaccess to apikeys.googleapis.com.

Google Cloud console

• Because the Google Cloud console is only accessible over the internet, it is treated as outside of service perimeters. When you apply a service perimeter, the Google Cloud console interface for the services that you protected may become partially or fully inaccessible. For example, if you protected Logging with the perimeter, you won't be able to access the Logging interface in the Google Cloud console.
  To allow access from the Google Cloud console to resources protected by a perimeter, you need to create an access level for a public IP range that includes the machines of users who want to use the Google Cloud console with protected APIs. For example, you could add the public IP range of the NAT gateway of your private network to an access level, and then assign that access level to the service perimeter.
  If you want to limit Google Cloud console access to the perimeter to only a specific set of users, you can also add those users to an access level. In that case, only the specified users would be able to access the Google Cloud console.
• Requests through Google Cloud console from a network that is Private Google Access enabled, including networks implicitly enabled by Cloud NAT, might be blocked even if the requesting source network and target resource are in the same perimeter. This is because Google Cloud console access through Private Google Access is not supported by VPC Service Controls.

Google Cloud metadata server

• For Compute EngineVM instances and GKEnodes, VPC Service Controls protection doesn't apply to the incoming traffic to or the outgoing traffic from Google Cloud metadata server.

Private services access

• Private services access supports deploying a service instance in aShared VPC network. If you use this configuration with VPC Service Controls, ensure that the host project that provides the network and the service project that contains the service instance are inside the same VPC Service Controls perimeter. Otherwise, requests might be blocked and service instances might not work correctly.
  For more information about services that support private services access, see Supported services.

GKE Multi-Cloud

• VPC Service Controls only applies to resources within your Google Cloud project. The third-party cloud environment that hosts your GKE Multi-Cloud clusters does not uphold any service control guarantees.

Google Distributed Cloud

• VPC Service Controls only applies to bare metal machines connected to VPC network projects that use Restricted VIP.
• OpenID Connect (OIDC) and Lightweight Directory Access Protocol (LDAP)services need to be in the same VPC Service Controls perimeter. The requests to external endpoints are blocked.

Migration Center

• After you enable the service perimeter, you can't transfer your infrastructure data to StratoZone.

Workforce Identity Federation

Workforce Identity Federation administrative features, including workforce pool configuration APIs don't support VPC Service Controls. However, Google Cloud products that support both Workforce Identity Federationand VPC Service Controls operate as documented and are subject to VPC Service Controls policy checks. Additionally, you can use third-party identitiessuch as workforce pool users and workload identities in the ingress or egress rules of VPC Service Controls.

For Security Token Service API requests where the audience is a Workforce Identity Federationpool (which is an organization-level resource), you must configure egress rules. This is necessary because VPC Service Controls does not support adding organization-level resources directly to perimeters. The following egress rules allow requests originating from the perimeter to reach the Workforce STS APIs that interact with organization-level Workforce pools:

- egressTo:
    operations:
      - serviceName: 'sts.googleapis.com'
        methodSelectors:
          - method: '*'
    resources:
      - '*'
  egressFrom:
    identityType: ANY_IDENTITY

What's next

• Troubleshoot common VPC Service Controls issues
• Troubleshoot common issues related to other Google Cloud services

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-06-16 UTC.