Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry deprecation and how to migrate to Artifact Registry, see Container Registry deprecation.
Securing Container Registry in a service perimeter
Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls improves your
ability to mitigate the risk of unauthorized copying or transfer of data
from Google-managed services.
With VPC Service Controls, you can configure security perimeters around the
resources of your Google-managed services and control the movement of data
across the perimeter boundary.
Using Container Registry with VPC Service Controls
If you are using Container Registry and Google Kubernetes Engine private clusters in a
project within a service perimeter, you can access container images inside the
service perimeter as well as Google-provided images.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eVPC Service Controls helps prevent unauthorized data copying or transfer from Google-managed services.\u003c/p\u003e\n"],["\u003cp\u003eSecurity perimeters can be configured around resources, controlling data movement across the boundaries.\u003c/p\u003e\n"],["\u003cp\u003eContainer Registry within a service perimeter allows access to container images inside the perimeter and Google-provided images.\u003c/p\u003e\n"],["\u003cp\u003eContainer Registry can be accessed via default Google APIs/services domains or special IP addresses like \u003ccode\u003e199.36.153.4/30\u003c/code\u003e (\u003ccode\u003erestricted.googleapis.com\u003c/code\u003e) and \u003ccode\u003e199.36.153.8/30\u003c/code\u003e (\u003ccode\u003eprivate.googleapis.com\u003c/code\u003e).\u003c/p\u003e\n"],["\u003cp\u003eArtifact Analysis can be added to your perimeter to be secured within the VPC service.\u003c/p\u003e\n"]]],[],null,["# Securing Container Registry in a service perimeter\n\n[VPC Service Controls](/vpc-service-controls/docs/overview) improves your\nability to mitigate the risk of unauthorized copying or transfer of data\nfrom Google-managed services.\n\nWith VPC Service Controls, you can configure security perimeters around the\nresources of your Google-managed services and control the movement of data\nacross the perimeter boundary.\n\nUsing Container Registry with VPC Service Controls\n--------------------------------------------------\n\nIf you are using Container Registry and Google Kubernetes Engine private clusters in a\nproject within a service perimeter, you can access container images inside the\nservice perimeter as well as [Google-provided images](/vpc-service-controls/docs/supported-products#registry).\n\nYou can access Container Registry using the\n[IP addresses for the default Google APIs and services domains](/vpc/docs/configure-private-google-access#ip-addr-defaults),\nor using these special IP addresses:\n\n- `199.36.153.4/30` (`restricted.googleapis.com`)\n- `199.36.153.8/30` (`private.googleapis.com`)\n\nFor details about these options, see\n[Configuring Private Google Access](/vpc/docs/configure-private-google-access#config). For an example\nconfiguration that uses `199.36.153.4/30` (`restricted.googleapis.com`),\nsee the documentation for [registry access with a virtual IP](/vpc-service-controls/docs/set-up-gke).\n\nFor general instructions to add Container Registry to a service perimeter,\nsee [Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\nUsing Artifact Analysis with VPC Service Controls\n-------------------------------------------------\n\nTo learn how to add Artifact Analysis to your perimeter,\nsee the [securing Artifact Analysis in a service\nperimeter](/container-analysis/docs/aa-vpc-sc-service-perimeter)."]]
