Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls for Cloud Service Mesh (Managed)
Cloud Service Mesh (Managed) supports VPC Service Controls
as a generally available (GA) feature for new control planes.
To check whether your control plane supports VPC Service Controls GA, check the mesh feature
state of your membership for the VPCSC_GA_SUPPORTED condition.
You must add specific services to the allowed and restricted services lists in
the service perimeter, so that your Cloud Service Mesh cluster can access them.
Access to these services is also restricted within your cluster's
Virtual Private Cloud (VPC) network.
Not adding these services may cause the Cloud Service Mesh installation to fail or to
not function properly. For example, if you don't add the
Mesh Configuration API to the service perimeter, the installation will fail
and the workloads won't receive their Envoy configuration from the managed
control plane.
PERIMETER_NAME is the name of the service perimeter that you
want to update.
POLICY_NAME is the numeric name of your organization's access
policy. For example, 330193482019.
Click on VPC Accessible services and set it to 'All restricted services', so that services restricted at the step above are still accessible from within the VPC Service Controls perimeter.
Unless you are installing Cloud Service Mesh from an in-perimeter network, add an
ingress rule to allow the identity running the asmcli command access to the
service perimeter.
Cannot create cluster with the latest GKE 1.22 image
There is a known issue preventing the creation of a cluster with the latest
1.22 image in a VPC Service Controls restricted environment. The workaround is to create this
cluster first with the default GKE channel image, and then upgrade the image:
This may happen if the images are located outside of the service perimeter.
Either move the images to a bucket located inside the perimeter, or update the
perimeter to add an Egress rule. Typically, the Egress rule may allow selected
identities to access the Container Registry API, Artifact Registry API,
and Cloud Storage API.
The Status field of the ControlPlaneRevision CRD displays VPC Service Controls errors
Run this command to get more info about the error:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# VPC Service Controls for Cloud Service Mesh (Managed)\n=====================================================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.25/docs/overview).\n\nCloud Service Mesh (Managed) supports [VPC Service Controls](/vpc-service-controls)\nas a generally available (GA) feature for new control planes.\n\nTo check whether your control plane supports VPC Service Controls GA, check the mesh feature\nstate of your membership for the VPCSC_GA_SUPPORTED condition. \n\n```bash\ngcloud container fleet mesh describe --project FLEET_PROJECT_ID\n```\n\nThe output is similar to: \n\n```bash\n(...)\nmembershipStates:\n projects/FLEET_PROJECT_NUMBER/locations/MEMBERSHIP_LOCATION/memberships/MEMBERSHIP_ID:\n servicemesh:\n conditions:\n - code: VPCSC_GA_SUPPORTED\n details: This control plane supports VPC Service Controls GA.\n documentationLink: http://cloud.google.com/service-mesh/v1.25/docs/managed/VPC Service Controls\n severity: INFO\n(...)\n```\n\nIf you have an existing control plane that does not report the\nVPCSC_GA_SUPPORTED condition and want to rely on VPC Service Controls, contact support.\n\nBefore you begin\n----------------\n\nThe VPC Service Controls org-policy and service perimeter are configured at the\n[organization level](/resource-manager/docs/cloud-platform-resource-hierarchy).\nEnsure that you have been granted the\n[proper roles for administering VPC Service Controls](/vpc-service-controls/docs/access-control).\n\nSet up your VPC Service Controls service perimeter\n--------------------------------------------------\n\nCreate or update your [service perimeter](/vpc-service-controls/docs/service-perimeters):\n\n1. [Add your cluster project(s) and fleet project](/vpc-service-controls/docs/manage-service-perimeters#update) to the service perimeter. Having a service mesh spread across multiple VPC Service Controls\n perimeters is not supported.\n\n2. Add restricted services to the service perimeter.\n\n You must add specific services to the allowed and restricted services lists in\n the service perimeter, so that your Cloud Service Mesh cluster can access them.\n Access to these services is also restricted within your cluster's\n Virtual Private Cloud (VPC) network.\n\n Not adding these services may cause the Cloud Service Mesh installation to fail or to\n not function properly. For example, if you don't add the\n **Mesh Configuration API** to the service perimeter, the installation will fail\n and the workloads won't receive their Envoy configuration from the managed\n control plane. \n\n ### Console\n\n 1. Follow the steps in [Updating a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#update) to edit the perimeter.\n 2. Click the **Edit VPC Service Perimeter** page.\n 3. Under **Restricted Services** , **Services to protect** , click **Add Services**.\n 4. On the **Specify services to restrict** dialog, click **Filter\n services** , and enter **Mesh Configuration API**.\n 5. Select the service's checkbox.\n 6. Click **Add Mesh Configuration API**.\n 7. Repeat steps c - f, to add:\n - **Cloud Service Mesh Certificate Authority API**\n - **GKE Hub API**\n - **Cloud IAM API**\n - **Cloud Monitoring API**\n - **Cloud Trace API**\n - **Cloud Monitoring API**\n - **Google Cloud Resource Manager API**\n - **Google Compute Engine API**\n - **Google Container Registry API**\n - **Artifact Registry API**\n - **Google Cloud Storage API**\n - **Cloud Logging API**\n - **Security Token Service API**\n 8. Click **Save**.\n\n ### gcloud\n\n To update the list of restricted services, use the `update` command and\n specify the services to add as a comma-delimited list: \n\n ```bash\n gcloud access-context-manager perimeters update PERIMETER_NAME \\\n --add-restricted-services=meshconfig.googleapis.com,meshca.googleapis.com,gkehub.googleapis.com,iam.googleapis.com,monitoring.googleapis.com,cloudtrace.googleapis.com,monitoring.googleapis.com,cloudresourcemanager.googleapis.com,compute.googleapis.com,containerregistry.googleapis.com,artifactregistry.googleapis.com,storage.googleapis.com,logging.googleapis.com,sts.googleapis.com \\\n --policy=POLICY_NAME\n ```\n\n Where:\n - \u003cvar translate=\"no\"\u003ePERIMETER_NAME\u003c/var\u003e is the name of the service perimeter that you\n want to update.\n\n - \u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e is the numeric name of your organization's access\n policy. For example, `330193482019`.\n\n3. Click on **VPC Accessible services** and set it to 'All restricted services', so that services restricted at the step above are still accessible from within the VPC Service Controls perimeter.\n\n4. Unless you are installing Cloud Service Mesh from an in-perimeter network, add an\n ingress rule to allow the identity running the `asmcli` command access to the\n service perimeter.\n\n For more information, see\n [Updating a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#update).\n\nInstall the managed Cloud Service Mesh in a VPC Service Controls perimeter\n--------------------------------------------------------------------------\n\nFollow the steps in\n[Configure managed Cloud Service Mesh](/service-mesh/v1.25/docs/managed/provision-managed-anthos-service-mesh)\npage. Then,\n[verify the control plane has been successfully provisioned](/service-mesh/v1.25/docs/managed/provision-managed-anthos-service-mesh#verify_the_control_plane_has_been_provisioned)\nand there are no VPC Service Controls related errors.\n\nTroubleshooting\n---------------\n\n### Cannot create cluster with the latest GKE 1.22 image\n\nThere is a known issue preventing the creation of a cluster with the latest\n1.22 image in a VPC Service Controls restricted environment. The workaround is to create this\ncluster first with the default GKE channel image, and then upgrade the image: \n\n```bash\ngcloud container clusters create CLUSTER \\\n --region REGION \\\n --release-channel=rapid \\\n --workload-pool=PROJECT_ID.svc.id.goog \\\n --project PROJECT_ID\n``` \n\n```bash\ngcloud container clusters upgrade CLUSTER \\\n --region REGION \\\n --master --cluster-version 1.22 \\\n --project PROJECT_ID\n```\n\n### Containers are not able to download their images.\n\nThis may happen if the images are located outside of the service perimeter.\nEither move the images to a bucket located inside the perimeter, or update the\nperimeter to add an Egress rule. Typically, the Egress rule may allow selected\nidentities to access the **Container Registry API** , **Artifact Registry API** ,\nand **Cloud Storage API**.\n\n### The Status field of the `ControlPlaneRevision` CRD displays VPC Service Controls errors\n\nRun this command to get more info about the error: \n\n```bash\ngcloud logging read --project=PROJECT_ID \\\n'protoPayload.metadata.@type=type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata'\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e is the project ID of the project encountering errors."]]
