VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter that creates a data transfer boundary around Google Cloud resources. VPC Service Controls provides more security for your App Hub resources such as mitigating the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that protect applications, services, and workloads from requests that cross the perimeter.
App Hub resources are exposed on the apphub.googleapis.com
API, which lets you perform
operations, such as creation and deletion of applications, services, and
workloads. You can set up VPC Service Controls with App Hub
by restricting connectivity to this API surface.
We recommend that you protect all App Hub resources when creating a service perimeter.
App Hub supports the following resource types:
- Application
- Discovered service
- Discovered workload
- Service
- Service project attachment (only for applications managed by a host project)
- Workload
Applications in a management project
When you enable the App Hub API for a single-project or folder-level boundary , the system enables the required APIs for application management in the management project .
After the management project is created, you can also enable recommended APIs that provide more application-centric features.
To include the management project in a service perimeter, create or update your service perimeter so that the management project and the enabled APIs are included in the perimeter.
For applications in a folder boundary , VPC Service Controls restrictions apply only to App Hub interactions in the management project. App Hub can read application data and discover services and workloads for all descendent projects of the app-enabled folder, even if those projects are not in the same perimeter as the management project.
To learn about which APIs are required and recommended, see Required and recommended APIs .
Applications managed by a host project
For legacy host projects , you can only attach a service project if the host project and service project are in the same perimeter. If you move a previously-attached service project outside the perimeter, the service project's resources remain accessible until you detach the service project from the host project.
What's next
-
To learn more about VPC Service Controls, see the overview and supported products and limitations .
-
For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls .
-
For best practices for designing service perimeters, see Design and architect service perimeters .
-
To set up a service perimeter, see Create a service perimeter .
