Protect Backup for GKE resources using VPC Service Controls
Stay organized with collectionsSave and categorize content based on your preferences.
AutopilotStandard
This page describes how to use VPC Service Controls to protect Backup for GKE
resources. For more information about VPC Service Controls, read theOverview of VPC Service Controls.
On theVPC Service Controlspage, clickNew Perimeter.
On theNew VPC Service Perimeterpage, in thePerimeter Namebox,
type a name for the perimeter.
Select the projects that you want to secure within the perimeter:
ClickAdd Projectsbutton.
To add a project to the perimeter, in theAdd Projectsdialog, select that project's checkbox.
ClickAddnProjectsbutton, wherenis
the number of projects you selected in the previous step.
Select Backup for GKE to secure within the perimeter:
ClickAdd Servicesbutton.
To secure Backup for GKE within the perimeter, in theSpecify services to restrictdialog, select Backup for GKE's
checkbox.
ClickAdd Backup for GKE APIbutton.
ClickSavebutton.
You've created a service perimeter that restricts access to Backup for GKE
resources. The service perimeter may take up to 30 minutes to propagate and take
effect. When the changes have propagated, access to Backup for GKE will be
limited for the projects you added to the perimeter. For example, no backup plan
or backup can be created from outside of the perimeter, unless otherwise explicitly allowed by an ingress rule.
Details about how Backup for GKE works with service perimeters
If Backup for GKE is not among the list of VPC accessible services of a
service perimeter, backup and restore may fail even if you are able to create
backup or restore using the Google Cloud console or gcloud CLI. This
is because the Backup for GKE agent is running in your GKE
cluster (within the service perimeter) and requires access to
Backup for GKE to perform backup and restore.
To perform cross-project backups and restores successfully, thebackup_project,cluster_project, andrestore_projectshould be within
the same VPC Service Controls perimeter.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Protect Backup for GKE resources using VPC Service Controls\n\nAutopilot Standard\n\n*** ** * ** ***\n\nThis page describes how to use VPC Service Controls to protect Backup for GKE\nresources. For more information about VPC Service Controls, read the [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nBefore you begin\n----------------\n\nEnsure that you have the [required IAM permissions](/vpc-service-controls/docs/access-control) to\nadminister VPC Service Controls.\n\nCreate a service perimeter to protect Backup for GKE resources\n--------------------------------------------------------------\n\n1. In the Google Cloud console, go to the **VPC Service Controls** page.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/security/service-perimeter)\n2. If you are prompted, select your Organization.\n\n3. On the **VPC Service Controls** page, click **New Perimeter**.\n\n4. On the **New VPC Service Perimeter** page, in the **Perimeter Name** box,\n type a name for the perimeter.\n\n5. Select the projects that you want to secure within the perimeter:\n\n 1. Click **Add Projects** button.\n\n 2. To add a project to the perimeter, in the **Add Projects** dialog, select that project's checkbox.\n\n 3. Click **Add \u003cvar translate=\"no\"\u003en\u003c/var\u003e Projects** button, where \u003cvar translate=\"no\"\u003en\u003c/var\u003e is\n the number of projects you selected in the previous step.\n\n6. Select Backup for GKE to secure within the perimeter:\n\n 1. Click **Add Services** button.\n\n 2. To secure Backup for GKE within the perimeter, in the\n **Specify services to restrict** dialog, select Backup for GKE's\n checkbox.\n\n 3. Click **Add Backup for GKE API** button.\n\n7. Click **Save** button.\n\nYou've created a service perimeter that restricts access to Backup for GKE\nresources. The service perimeter may take up to 30 minutes to propagate and take\neffect. When the changes have propagated, access to Backup for GKE will be\nlimited for the projects you added to the perimeter. For example, no backup plan\nor backup can be created from outside of the perimeter, unless otherwise explicitly allowed by an ingress rule.\n\nDetails about how Backup for GKE works with service perimeters\n--------------------------------------------------------------\n\n1. If Backup for GKE is not among the list of VPC accessible services of a\n service perimeter, backup and restore may fail even if you are able to create\n backup or restore using the Google Cloud console or gcloud CLI. This\n is because the Backup for GKE agent is running in your GKE\n cluster (within the service perimeter) and requires access to\n Backup for GKE to perform backup and restore.\n\n2. To perform cross-project backups and restores successfully, the\n `backup_project`, `cluster_project`, and `restore_project` should be within\n the same VPC Service Controls perimeter."]]
