VPC Service Controls is a Google Cloud feature that lets you set up a
service perimeter and create a data transfer boundary. You can use
VPC Service Controls with Eventarc to help protect your
services.
We recommend that you protect all services when creating a service perimeter.
Eventarc Advanced
An Eventarc Advanced bus outside of a service perimeter can't
receive events from Google Cloud projects inside the perimeter. An
Eventarc Advanced bus inside of a perimeter can't route events to
a consumer outside of the perimeter.
To publish to an Eventarc Advanced bus, the source of an
event must be inside the same service perimeter as the bus.
To consume a message, an event consumer must be inside the same service
perimeter as the bus.
You can verify VPC Service Controls support for the Enrollment,
GoogleApiSource, MessageBus, and Pipeline resources by viewing platform
logs on ingress.
Eventarc Standard
In projects protected by a service perimeter, Eventarc Standard
is bound by the same limitations as Pub/Sub:
When routing events to Cloud Run destinations, you can only
create new Pub/Sub push subscriptions when the push
endpoints are set to Cloud Run services with default
run.app URLs. Custom domains don't
work.
When routing events to Workflows destinations
for which the Pub/Sub push endpoint is set to a
Workflows execution, you can only create new
Pub/Sub push subscriptions through Eventarc.
Note that the service account used for push authentication for the
Workflows endpoint must be included in the service
perimeter.
VPC Service Controls blocks the creation of Eventarc
triggers for
internal HTTP endpoints.
VPC Service Controls protection does not apply when routing events to
such destinations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eVPC Service Controls can be used with Eventarc to establish a service perimeter and data transfer boundary, thereby protecting your services.\u003c/p\u003e\n"],["\u003cp\u003eEventarc Advanced has limitations within a service perimeter, including the inability for external Eventarc Advanced buses to communicate with projects inside the perimeter and no support for end-to-end event delivery within it.\u003c/p\u003e\n"],["\u003cp\u003eEventarc Standard is subject to the same constraints as Pub/Sub, particularly concerning push subscriptions to Cloud Run services with default \u003ccode\u003erun.app\u003c/code\u003e URLs and Workflows destinations.\u003c/p\u003e\n"],["\u003cp\u003eVPC Service Controls prevents the creation of Eventarc triggers for internal HTTP endpoints, and protection does not apply to events routed to these destinations.\u003c/p\u003e\n"],["\u003cp\u003eProtecting all services is recommended when creating a new service perimeter, to maintain security.\u003c/p\u003e\n"]]],[],null,["# Set up a service perimeter using VPC Service Controls\n\n[Advanced](/eventarc/advanced/docs/overview) [Standard](/eventarc/standard/docs/overview)\n\nVPC Service Controls is a Google Cloud feature that lets you set up a\nservice perimeter and create a data transfer boundary. You can use\nVPC Service Controls with Eventarc to help protect your\nservices.\n| **Note:** Eventarc Standard handles event delivery using Pub/Sub topics and push subscriptions. To access the Pub/Sub API and manage event triggers, the Eventarc API must be protected within the same VPC Service Controls service perimeter as the Pub/Sub API.\n\nWe recommend that you protect all services when creating a service perimeter.\n\nEventarc Advanced\n-----------------\n\n- An Eventarc Advanced bus outside of a service perimeter can't\n receive events from Google Cloud projects inside the perimeter. An\n Eventarc Advanced bus inside of a perimeter can't route events to\n a consumer outside of the perimeter.\n\n - To publish to an Eventarc Advanced bus, the source of an event must be inside the same service perimeter as the bus.\n - To consume a message, an event consumer must be inside the same service perimeter as the bus.\n- You can verify VPC Service Controls support for the `Enrollment`,\n `GoogleApiSource`, `MessageBus`, and `Pipeline` resources by viewing platform\n logs on ingress.\n\nEventarc Standard\n-----------------\n\n- In projects protected by a service perimeter, Eventarc Standard\n is bound by the same limitations as Pub/Sub:\n\n - When routing events to Cloud Run destinations, you can only\n create new Pub/Sub push subscriptions when the push\n endpoints are set to Cloud Run services with default\n `run.app` URLs. [Custom domains](/run/docs/mapping-custom-domains) don't\n work.\n\n - When [routing events to Workflows destinations](/workflows/docs/trigger-workflow-eventarc)\n for which the Pub/Sub push endpoint is set to a\n Workflows execution, you can only create new\n Pub/Sub push subscriptions through Eventarc.\n Note that the service account used for push authentication for the\n Workflows endpoint must be included in the service\n perimeter.\n\n- VPC Service Controls blocks the creation of Eventarc\n triggers for\n [internal HTTP endpoints](/eventarc/standard/docs/vpc-endpoints/route-vpc-internal-endpoint-events).\n VPC Service Controls protection does not apply when routing events to\n such destinations.\n\nWhat's next\n-----------\n\n- To learn more about VPC Service Controls, see the\n [overview](/vpc-service-controls/docs/overview) and\n [supported products and limitations](/vpc-service-controls/docs/supported-products).\n\n- For best practices for enabling VPC Service Controls, see\n [Best practices for enabling VPC Service Controls](/vpc-service-controls/docs/enable).\n\n- For best practices for designing service perimeters, see\n [Design and architect service perimeters](/vpc-service-controls/docs/architect-perimeters).\n\n- To set up a service perimeter, see\n [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters)."]]
