Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of VPC Service Controls,
a Google Cloud feature that integrates with AlloyDB
to secure data and resources.
VPC Service Controls helps mitigate the risk of data
exfiltration from AlloyDB instances. You can use VPC Service Controls
to create service perimeters that protect the resources and data of
services that you explicitly specify.
For a general overview of VPC Service Controls, its security benefits, and its
capabilities across Google Cloud products, see
Overview of VPC Service Controls.
Before you begin
In the Google Cloud console, go to the Project Selector page.
Optionally, to permit external access to protected resources inside a perimeter,
you can use access levels. Access levels apply only to requests for protected
resources coming from outside the service perimeter. You can't use access levels
to give protected resources or VMs permission to access data and services
outside the perimeter.
Create and manage a service perimeter
To create and manage a service perimeter, complete the following steps:
Select the AlloyDB project that you want the VPC service perimeter
to protect.
Add more instances to the service perimeter. To add existing AlloyDB
instances to the perimeter, follow the instructions in Updating a service perimeter.
Add APIs to the service perimeter. To mitigate the risk of your data being
exfiltrated from AlloyDB, you must restrict AlloyDB
API, Compute Engine API, Cloud Storage API, Container Registry API,
Certificate Authority Service API, and Cloud KMS API. For more information, see access-context-manager perimeters update.
To add APIs as restricted services:
Console
In the Google Cloud console, go to the VPC Service Controls page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eVPC Service Controls is a Google Cloud feature that enhances security for AlloyDB by mitigating data exfiltration risks through the creation of service perimeters.\u003c/p\u003e\n"],["\u003cp\u003eSetting up VPC Service Controls for AlloyDB involves selecting the AlloyDB project, creating a service perimeter, and optionally, configuring access levels for external access.\u003c/p\u003e\n"],["\u003cp\u003eTo effectively secure data, the service perimeter should include restrictions on AlloyDB API, Compute Engine API, Cloud Storage API, Container Registry API, Certificate Authority Service API, and Cloud KMS API.\u003c/p\u003e\n"],["\u003cp\u003eIf enhanced query insights are enabled, the \u003ccode\u003edatabaseinsights.googleapis.com\u003c/code\u003e API must also be added to the service perimeter as a restricted service.\u003c/p\u003e\n"]]],[],null,["# Configure VPC Service Controls\n\nThis page provides an overview of VPC Service Controls,\na Google Cloud feature that integrates with AlloyDB\nto secure data and resources.\n\nVPC Service Controls helps mitigate the risk of data\nexfiltration from AlloyDB instances. You can use VPC Service Controls\nto create service perimeters that protect the resources and data of\nservices that you explicitly specify.\n\nFor a general overview of VPC Service Controls, its security benefits, and its\ncapabilities across Google Cloud products, see\n[Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nBefore you begin\n----------------\n\n1. In the Google Cloud console, go to the **Project Selector** page.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Select or [create a Google Cloud project](/resource-manager/docs/creating-managing-projects). **Note:** If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n3. Make sure that billing is enabled for your Google Cloud project. Learn how to [check if billing is enabled on a project](/billing/docs/how-to/verify-billing-enabled).\n4. Enable the Compute Engine API. [Enable the Compute Engine API](https://console.cloud.google.com/apis/enableflow?apiid=compute.googleapis.com)\n\n5. Enable the Service Networking API. [Enable the Service Networking API](https://console.cloud.google.com/apis/enableflow?apiid=servicenetworking.googleapis.com)\n\n6. Add the [Identity and Access Management (IAM) roles](/vpc-service-controls/docs/access-control#required_roles) to the user or service account that you're using to set up and administer VPC Service Controls. For more information, see [IAM roles for administering VPC Service Controls](/vpc-service-controls/docs/access-control).\n7. Review [limitations](/vpc-service-controls/docs/supported-products#table_alloydb_api) when you use VPC Service Controls with AlloyDB.\n\nHow to secure AlloyDB service using VPC Service Controls\n--------------------------------------------------------\n\nBefore you begin, review [Overview of VPC Service Controls](/vpc-service-controls/docs/overview)\nand [AlloyDB limitations when using VPC Service Controls](/vpc-service-controls/docs/supported-products#table_alloydb).\n\nConfiguring VPC Service Controls for an AlloyDB project includes\nthe following steps:\n\n1. [Create and manage a service perimeter](#create-manage-perimeters).\n\n First, you select the AlloyDB project that you want the VPC\n service perimeter to protect, and then you create and manage the service\n perimeter.\n2. [Create and manage access levels](#create-manage-access-levels).\n\n Optionally, to permit external access to protected resources inside a perimeter,\n you can use access levels. Access levels apply only to requests for protected\n resources coming from outside the service perimeter. You can't use access levels\n to give protected resources or VMs permission to access data and services\n outside the perimeter.\n\nCreate and manage a service perimeter\n-------------------------------------\n\nTo create and manage a service perimeter, complete the following steps:\n\n1. Select the AlloyDB project that you want the VPC service perimeter\n to protect.\n\n2. Create a service perimeter by following the instructions in\n [Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n3. Add more instances to the service perimeter. To add existing AlloyDB\n instances to the perimeter, follow the instructions in [Updating a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#updating_a_service_perimeter).\n\n4. Add APIs to the service perimeter. To mitigate the risk of your data being\n exfiltrated from AlloyDB, you must restrict AlloyDB\n API, Compute Engine API, Cloud Storage API, Container Registry API,\n Certificate Authority Service API, and Cloud KMS API. For more information, see [access-context-manager perimeters update](/sdk/gcloud/reference/access-context-manager/perimeters/update).\n\n To add APIs as restricted services: \n\n ### Console\n\n 1. In the Google Cloud console, go to the **VPC Service Controls** page.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/projectselector2/security/service-perimeter)\n 2. In the **VPC Service Controls** page, in the table, click the name of the service perimeter that you want to modify.\n 3. Click **Edit**.\n 4. In the **Edit VPC Service Perimeter** page, click **Add Services**.\n 5. Add **AlloyDB API** , **Compute Engine API** , **Cloud Storage API** , **Container Registry API** , **Certificate Authority Service API** , and **Cloud KMS API**.\n 6. Click **Save**.\n\n ### gcloud\n\n ```\n gcloud access-context-manager perimeters update PERIMETER_ID \\\n --policy=POLICY_ID \\\n --add-restricted-services=alloydb.googleapis.com,compute.googleapis.com,storage.googleapis.com,\n containerregistry.googleapis.com,privateca.googleapis.com,cloudkms.googleapis.com\n ```\n - \u003cvar translate=\"no\"\u003ePERIMETER_ID\u003c/var\u003e: The ID of the perimeter or the fully qualified identifier for the perimeter.\n - \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e: The ID of the access policy.\n5. If you [enabled enhanced query insights](/alloydb/docs/using-enhanced-query-insights#enable-enhanced-query-insights), add the `databaseinsights.googleapis.com` API to the service perimeter as a restricted service:\n\n ### Console\n\n 1. In the Google Cloud console, go to the **VPC Service Controls** page.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/projectselector2/security/service-perimeter)\n 2. In the **VPC Service Controls** page, in the table, click the name of the service perimeter that you want to modify.\n 3. Click **Edit**.\n 4. In the **Edit VPC Service Perimeter** page, click **Add Services**.\n 5. Add **databaseinsights.googleapis.com**.\n 6. Click **Save**.\n\n ### gcloud\n\n ```\n gcloud access-context-manager perimeters update PERIMETER_ID \\\n --policy=POLICY_ID \\\n --add-restricted-services=databaseinsights.googleapis.com\n ```\n - \u003cvar translate=\"no\"\u003ePERIMETER_ID\u003c/var\u003e: The ID of the perimeter or the fully qualified identifier for the perimeter.\n - \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e: The ID of the access policy.\n\nCreate and manage access levels\n-------------------------------\n\nTo create and manage access levels, follow the instructions in\n[Allowing access to protected resources from outside a perimeter](/vpc-service-controls/docs/use-access-levels)."]]
