Stay organized with collectionsSave and categorize content based on your preferences.
VPC Service Controls helps you reduce the risk of unauthorized copying or transfer
of data from your Google-managed services.
With VPC Service Controls, you can configure service perimeters around the
resources of your Google-managed services and control the movement of data
across the perimeter boundary.
When you specify which services you want to restrict, make sure to add all of the
following services:
VMMigration API (vmmigration.googleapis.com)
Pub/Sub API (pubsub.googleapis.com)
Cloud Storage API (storage.googleapis.com)
Cloud Logging API (logging.googleapis.com)
Secret Manager API (secretmanager.googleapis.com)
Compute Engine API (compute.googleapis.com)
Your service perimeter must restrict all these services in order for
Migrate to Virtual Machines to work with VPC Service Controls.
You should ensure the project in which you enabled the VMMigration API with the
Target Projects are included in the perimeter.
Configure your Migrate Connector in a VPC-SC enabled environment
In an environment that employs VPC-SC, you need to make sure that your Migrate
Connector can communicate with the Google Cloud APIs.
You can allow your Migrate Connector to access the VPC-SC environment using
several methods. Your available methods depend on the configuration of the
VPC-SC environment and whether your Migrate Connector network traffic is
routed privately or publicly:
If your Migrate Connector network traffic is routed to
Google Cloud using VPN or interconnect to the project VPC-SC, see
theVPC-SC private connectivitydocumentation.
If your Migrate Connector network traffic is routed using a public
network, see theVPC-SC overviewdocumentation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Secure your migrations in a service perimeter\n\nVPC Service Controls helps you reduce the risk of unauthorized copying or transfer\nof data from your Google-managed services.\n\nWith VPC Service Controls, you can configure service perimeters around the\nresources of your Google-managed services and control the movement of data\nacross the perimeter boundary.\n\nCreate a service perimeter\n--------------------------\n\nTo create a service perimeter, follow the\n[VPC Service Controls guide to creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\nWhen you specify which services you want to restrict, make sure to add all of the\nfollowing services:\n\n- VMMigration API (`vmmigration.googleapis.com`)\n- Pub/Sub API (`pubsub.googleapis.com`)\n- Cloud Storage API (`storage.googleapis.com`)\n- Cloud Logging API (`logging.googleapis.com`)\n- Secret Manager API (`secretmanager.googleapis.com`)\n- Compute Engine API (`compute.googleapis.com`)\n\nYour service perimeter must restrict all these services in order for\nMigrate to Virtual Machines to work with VPC Service Controls.\n\nYou should ensure the project in which you enabled the VMMigration API with the\nTarget Projects are included in the perimeter.\n\nConfigure your Migrate Connector in a VPC-SC enabled environment\n----------------------------------------------------------------\n\nIn an environment that employs VPC-SC, you need to make sure that your Migrate\nConnector can communicate with the Google Cloud APIs.\n\nYou can allow your Migrate Connector to access the VPC-SC environment using\nseveral methods. Your available methods depend on the configuration of the\nVPC-SC environment and whether your Migrate Connector network traffic is\nrouted privately or publicly:\n\n- If your Migrate Connector network traffic is routed to Google Cloud using VPN or interconnect to the project VPC-SC, see the [VPC-SC private connectivity](/vpc-service-controls/docs/private-connectivity) documentation.\n- If your Migrate Connector network traffic is routed using a public network, see the [VPC-SC overview](/vpc-service-controls/docs/overview#internet) documentation."]]
