Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to configure Database Center with
VPC Service Controls, a Google Cloud feature to secure data and resources.
VPC Service Controls helps mitigate the risk of data exfiltration from
Database Center instances. You can use VPC Service Controls
to create service perimeters that protect the resources and data of
services that you explicitly specify.
For a general overview of VPC Service Controls, its security benefits, and its
capabilities across supported products, see
Overview of VPC Service Controls.
Optionally, to permit external access to protected resources inside a
perimeter, you can use access levels. Access levels apply only to requests
for protected resources coming from outside the service perimeter. You can't
use access levels to give protected resources or VMs permission to access
data and services outside the perimeter.
Create and manage a service perimeter
To create and manage a service perimeter, complete the following steps:
Select the Database Center project that you want the service
perimeter to protect.
Add more instances to the service perimeter. To add existing
Database Center instances to the perimeter, follow the
instructions in
Updating a service perimeter.
Add APIs to the service perimeter. To mitigate the risk of your data being
exfiltrated from Database Center, you must restrict
Database Center API, Compute Engine API, Cloud Storage
API, Container Registry API, Certificate Authority Service API, and Cloud KMS
API. For more information, see
access-context-manager perimeters update.
To add APIs as restricted services, complete following steps:
Console
In the Google Cloud console, go to the VPC Service Controls page.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Configure VPC Service Controls\n\nThis page describes how to configure Database Center with\nVPC Service Controls, a Google Cloud feature to secure data and resources.\n\nVPC Service Controls helps mitigate the risk of data exfiltration from\nDatabase Center instances. You can use VPC Service Controls\nto create service perimeters that protect the resources and data of\nservices that you explicitly specify.\n\nFor a general overview of VPC Service Controls, its security benefits, and its\ncapabilities across supported products, see\n[Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nBefore you begin\n----------------\n\nBefore you begin, review [Overview of VPC Service Controls](/vpc-service-controls/docs/overview)\nand\n[Database Center limitations when using VPC Service Controls](/vpc-service-controls/docs/supported-products#table_database_center_api).\nThen, do the following steps to make sure you have the correct permissions to\nuse VPC Service Controls.\n\n1. In the Google Cloud console, go to the **Project Selector** page.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n2. Select or [create a Google Cloud project](/resource-manager/docs/creating-managing-projects). **Note:** If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n3. Make sure that billing is enabled for your Google Cloud project. Learn how to [check if billing is enabled on a project](/billing/docs/how-to/verify-billing-enabled).\n4. Enable the Compute Engine API. [Enable the Compute Engine API](https://console.cloud.google.com/apis/enableflow?apiid=compute.googleapis.com)\n\n5. Enable the Service Networking API. [Enable the Service Networking API](https://console.cloud.google.com/apis/enableflow?apiid=servicenetworking.googleapis.com)\n\n6. Add the [Identity and Access Management (IAM) roles](/vpc-service-controls/docs/access-control#required_roles) to the user or service account you are using to set up and administer VPC Service Controls. For more information, see [IAM Roles for Administering VPC Service Controls](/vpc-service-controls/docs/access-control).\n7. Review [limitations](/vpc-service-controls/docs/supported-products#table_database_center_api) when using VPC Service Controls with Database Center.\n\nHow to secure Database Center service using VPC Service Controls\n----------------------------------------------------------------\n\nConfiguring VPC Service Controls for Database Center project includes\nthe following steps:\n\n1. [Create and manage a service perimeter](#create-manage-perimeters).\n\n First, you select the Database Center project that you want\n the service perimeter to protect, and then you create and manage the service\n perimeter.\n2. [Create and manage access levels](#create-manage-access-levels).\n\n Optionally, to permit external access to protected resources inside a\n perimeter, you can use access levels. Access levels apply only to requests\n for protected resources coming from outside the service perimeter. You can't\n use access levels to give protected resources or VMs permission to access\n data and services outside the perimeter.\n\nCreate and manage a service perimeter\n-------------------------------------\n\nTo create and manage a service perimeter, complete the following steps:\n\n1. Select the Database Center project that you want the service\n perimeter to protect.\n\n2. Create a service perimeter by following the instructions in\n [Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n3. Add more instances to the service perimeter. To add existing\n Database Center instances to the perimeter, follow the\n instructions in\n [Updating a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#update).\n\n4. Add APIs to the service perimeter. To mitigate the risk of your data being\n exfiltrated from Database Center, you must restrict\n Database Center API, Compute Engine API, Cloud Storage\n API, Container Registry API, Certificate Authority Service API, and Cloud KMS\n API. For more information, see\n [`access-context-manager perimeters update`](/sdk/gcloud/reference/access-context-manager/perimeters/update).\n\n To add APIs as restricted services, complete following steps: \n\n ### Console\n\n 1. In the Google Cloud console, go to the **VPC Service Controls** page.\n\n [Go to VPC Service Controls](https://console.cloud.google.com/projectselector2/security/service-perimeter)\n 2. In the **VPC Service Controls** page, in the table, click the name of the service perimeter that you want to modify.\n 3. Click **Edit**.\n 4. In the **Edit VPC Service Perimeter** page, click **Add Services**.\n 5. Select **Database Center** (`databasecenter.googleapis.com`).\n 6. Click **Save**.\n\n ### gcloud\n\n ```\n gcloud access-context-manager perimeters update PERIMETER_ID \\\n --policy=POLICY_ID \\\n --add-restricted-services=databasecenter.googleapis.com\n ```\n - \u003cvar translate=\"no\"\u003ePERIMETER_ID\u003c/var\u003e: The ID of the perimeter or the fully qualified identifier for the perimeter.\n - \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e: The ID of the access policy.\n\nCreate and manage access levels\n-------------------------------\n\nTo create and manage access levels, follow the instructions in\n[Allowing access to protected resources from outside a perimeter](/vpc-service-controls/docs/use-access-levels)."]]