Secure your migrations in a service perimeter

VPC Service Controls helps you reduce the risk of unauthorized copying or transfer of data from your Google-managed services.

With VPC Service Controls, you can configure service perimeters around the resources of your Google-managed services and control the movement of data across the perimeter boundary.

Create a service perimeter

To create a service perimeter, follow the VPC Service Controls guide to creating a service perimeter.

When you specify which services you want to restrict, make sure to add all of the following services:

  • VMMigration API (
  • Pub/Sub API (
  • Cloud Storage API (
  • Cloud Logging API (
  • Secret Manager API (
  • Compute Engine API (

Your service perimeter must restrict all these services in order for Migrate to Virtual Machines to work with VPC Service Controls.

You should ensure the project in which you enabled the VMMigration API with the Target Projects are included in the perimeter.

Configure your Migrate Connector in a VPC-SC enabled environment

In an environment that employs VPC-SC, you need to make sure that your Migrate Connector can communicate with the Google Cloud APIs.

You can allow your Migrate Connector to access the VPC-SC environment using several methods. Your available methods depend on the configuration of the VPC-SC environment and whether your Migrate Connector network traffic is routed privately or publicly:

  • If your Migrate Connector network traffic is routed to Google Cloud using VPN or interconnect to the project VPC-SC, see the VPC-SC private connectivity documentation.
  • If your Migrate Connector network traffic is routed using a public network, see the VPC-SC overview documentation.