Protect repositories in a service perimeter

VPC Service Controls improves your ability to mitigate the risk of unauthorized copying or transfer of data from Google-managed services.

With VPC Service Controls, you can configure security perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.

Using Artifact Registry with VPC Service Controls

If you are using Artifact Registry and Google Kubernetes Engine private clusters in a project within a service perimeter, you can access container images inside the service perimeter as well as Google-provided images.

Cached Docker Hub images stored on are not included in the service perimeter unless an egress rule is added to allow egress to the Artifact Registry Docker cache that hosts

To use within a service perimeter, add the following egress rule:

- egressTo:
    - serviceName:
      - method:
    - projects/342927644502
    identityType: ANY_IDENTITY

For more details about ingress and egress rules, see Ingress and egress rules.

You can access Artifact Registry using the IP addresses for the default Google APIs and services domains, or using these special IP addresses:

  • (
  • (

For details about these options, see Configuring Private Google Access. For an example configuration that uses (, see the documentation for registry access with a virtual IP.

Ensure that Google Cloud services that need to access Artifact Registry are also in the service perimeter, including Binary Authorization, Artifact Analysis, and runtime environments such as Google Kubernetes Engine and Cloud Run. See the list of supported services for details about each service.

For general instructions to add Artifact Registry to a service perimeter, see Creating a service perimeter.

Using Artifact Analysis with VPC Service Controls

To learn how to add Artifact Analysis to your perimeter, see the securing Artifact Analysis in a service perimeter.