Stay organized with collectionsSave and categorize content based on your preferences.
VPC Service Controlsimproves your
ability to mitigate the risk of unauthorized copying or transfer of data
from Google Cloud-managed services.
With VPC Service Controls, you can configure security perimeters around the
resources of your Google Cloud-managed services and control the movement of data
across the perimeter boundary.
Using Artifact Registry with VPC Service Controls
If you are using Artifact Registry and Google Kubernetes Engine private clusters in a
project within a service perimeter, you can access container images inside the
service perimeter as well asGoogle Cloud-provided images.
Cached Docker Hub images stored onmirror.gcr.ioare not included in the
service perimeter unless an egress rule is added to allow egress to the
Artifact Registry Docker cache that hostsmirror.gcr.io.
To usemirror.gcr.iowithin a service perimeter, add the following egress
rule:
Ensure that Google Cloud services that need to access Artifact Registry are also in
the service perimeter, including Binary Authorization, Artifact Analysis,
and runtime environments such as Google Kubernetes Engine and Cloud Run. See the
list ofsupported servicesfor
details about each service.
To access images in Artifact Registrygcr.iorepositories, when setting
ingress or egress policies, use the identity typeANY_IDENTITY. You can't
use the identity typesANY_SERVICE_ACCOUNTorANY_USER_ACCOUNTfor images
in thegcr.iodomain.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eVPC Service Controls enhances security by allowing you to configure perimeters around Google Cloud-managed services and manage data movement across these boundaries.\u003c/p\u003e\n"],["\u003cp\u003eWhen using Artifact Registry within a service perimeter, you can access container images inside the perimeter as well as Google Cloud-provided images, but cached Docker Hub images on \u003ccode\u003emirror.gcr.io\u003c/code\u003e require an added egress rule.\u003c/p\u003e\n"],["\u003cp\u003eTo enable \u003ccode\u003emirror.gcr.io\u003c/code\u003e access within a service perimeter, you need to add a specific egress rule that allows the \u003ccode\u003eartifactregistry.googleapis.com/DockerRead\u003c/code\u003e method to access the specified project.\u003c/p\u003e\n"],["\u003cp\u003eArtifact Registry can be accessed using default Google APIs and services domains' IP addresses, or special IPs like \u003ccode\u003e199.36.153.4/30\u003c/code\u003e (\u003ccode\u003erestricted.googleapis.com\u003c/code\u003e) and \u003ccode\u003e199.36.153.8/30\u003c/code\u003e (\u003ccode\u003eprivate.googleapis.com\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eEnsure that other Google Cloud services requiring access to Artifact Registry, such as Binary Authorization and Google Kubernetes Engine, are also within the service perimeter.\u003c/p\u003e\n"]]],[],null,["# Protect repositories in a service perimeter\n\n[VPC Service Controls](/vpc-service-controls/docs/overview) improves your\nability to mitigate the risk of unauthorized copying or transfer of data\nfrom Google Cloud-managed services.\n\nWith VPC Service Controls, you can configure security perimeters around the\nresources of your Google Cloud-managed services and control the movement of data\nacross the perimeter boundary.\n\nUsing Artifact Registry with VPC Service Controls\n-------------------------------------------------\n\nIf you are using Artifact Registry and Google Kubernetes Engine private clusters in a\nproject within a service perimeter, you can access container images inside the\nservice perimeter as well as [Google Cloud-provided images](/vpc-service-controls/docs/supported-products#artifacts).\nCached Docker Hub images stored on `mirror.gcr.io` are not included in the service perimeter unless an egress rule is added to allow egress to the Artifact Registry Docker cache that hosts `mirror.gcr.io`.\n\n\u003cbr /\u003e\n\nTo use `mirror.gcr.io` within a service perimeter, add the following egress\nrule: \n\n - egressTo:\n operations:\n - serviceName: artifactregistry.googleapis.com\n methodSelectors:\n - method: artifactregistry.googleapis.com/DockerRead\n resources:\n - projects/342927644502\n egressFrom:\n identityType: ANY_IDENTITY\n\nTo learn about ingress and egress rules, see\n[Ingress and egress rules](/vpc-service-controls/docs/ingress-egress-rules#egress-rules-reference).\n\nYou can access Artifact Registry using the\n[IP addresses for the default Google APIs and services domains](/vpc/docs/configure-private-google-access#ip-addr-defaults),\nor using these special IP addresses:\n\n- `199.36.153.4/30` (`restricted.googleapis.com`)\n- `199.36.153.8/30` (`private.googleapis.com`)\n\nFor details about these options, see\n[Configuring Private Google Access](/vpc/docs/configure-private-google-access#config). For an example\nconfiguration that uses `199.36.153.4/30` (`restricted.googleapis.com`),\nsee the documentation for [registry access with a virtual IP](/vpc-service-controls/docs/set-up-gke).\nEnsure that Google Cloud services that need to access Artifact Registry are also in the service perimeter, including Binary Authorization, Artifact Analysis, and runtime environments such as Google Kubernetes Engine and Cloud Run. See the list of [supported services](/vpc-service-controls/docs/supported-products) for details about each service.\n\nFor general instructions to add Artifact Registry to a service perimeter,\nsee [Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n### Access images in `gcr.io` repositories\n\nTo access images in Artifact Registry `gcr.io` repositories, when setting\ningress or egress policies, use the identity type **ANY_IDENTITY** . You can't\nuse the identity types **ANY_SERVICE_ACCOUNT** or **ANY_USER_ACCOUNT** for images\nin the `gcr.io` domain.\n\nUsing Artifact Analysis with VPC Service Controls\n-------------------------------------------------\n\nTo learn how to add Artifact Analysis to your perimeter,\nsee the [securing Artifact Analysis in a service\nperimeter](/artifact-analysis/docs/aa-vpc-sc-service-perimeter)."]]
