Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
Disallow or disable public IP for Cloud SQL instances
To constrain data within the VPC for your Cloud SQL project,
do not allow connections to Cloud SQL instances from public IPs. IP-based
connections bypass VPC Service Controls. You must also disable public IP for new
and existing Cloud SQL instances within the VPC.
To either disallow or disable public IP on Cloud SQL instances:
Organization administrators can apply organization policies that disallow
creating new instances with public IP. See
Configure the organization policy.
Users who create Cloud SQL instances can configure the instances to use
private IP instead of public IP. See
Disable public IP.
Create a service perimeter
During this procedure, you select the Cloud SQL projects that you want the
VPC service perimeter to protect.
Add the Cloud SQL and Cloud Storage APIs to the service perimeter
To mitigate the risk of your data being exfiltrated from Cloud SQL, for
example, using Cloud SQL import or export APIs, you must restrict both the
Google Cloud SQL Admin APIand the Google Cloud Storage API.
To add Cloud SQL and Cloud Storage APIs as restricted services:
Console
In the Google Cloud console navigation menu, click Security, and then
click VPC Service Controls.
Optionally, to permit external access to protected resources inside a perimeter,
you can use access levels. Access levels apply only to requests for protected
resources coming from outside the service perimeter. You can't use access levels
to give protected resources or VMs permission to access data and services
outside the perimeter.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[],null,["# Configure VPC Service Controls\n\n\u003cbr /\u003e\n\n[MySQL](/sql/docs/mysql/admin-api/configure-service-controls \"View this page for the MySQL database engine\") \\| PostgreSQL \\| [SQL Server](/sql/docs/sqlserver/admin-api/configure-service-controls \"View this page for the SQL Server database engine\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page describes how to enable VPC Service Controls on a Cloud SQL\nproject. Before you begin, review [Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\nAlso review the [Cloud SQL limitations when using VPC Service Controls](/vpc-service-controls/docs/supported-products#cloud_sql_admin_api).\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Service Networking API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=servicenetworking)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Service Networking API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=servicenetworking)\n\n1.\n\n\n Enable the Compute Engine API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=compute)\n2.\n\n\n Enable the Service Networking API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=servicenetworking)\n3. Add the [Identity and Access Management (IAM) roles](/vpc-service-controls/docs/access-control#required_roles) to the user or service account you are using to set up and administer VPC Service Controls. See [IAM Roles for Administering VPC Service Controls](https://cloud.google.com/vpc-service-controls/docs/access-control).\n4. Review [limitations](/vpc-service-controls/docs/supported-products#cloud_sql_admin_api) when using VPC Service Controls with Cloud SQL.\n5. Optionally, add an organization policy that restricts public IP on instances in projects that use that policy. See [Connection organization policies](/sql/docs/postgres/connection-org-policy) and [Configuring the organization policy](/sql/docs/postgres/configure-org-policy#configuring_the_organization_policy).\n\n### Configure the Virtual Private Cloud (VPC) network\n\nPerform the steps in [Setting up private connectivity to Google APIs and services](/vpc-service-controls/docs/set-up-private-connectivity).\n| **Note:** If you're using [Shared VPC](/vpc/docs/shared-vpc), we recommend that you include the [host project](/vpc-service-controls/docs/troubleshooting#shared_vpc) in a service perimeter along with any projects that belong to the Shared VPC.\n\nDisallow or disable public IP for Cloud SQL instances\n-----------------------------------------------------\n\nTo constrain data within the VPC for your Cloud SQL project,\ndo not allow connections to Cloud SQL instances from public IPs. IP-based\nconnections bypass VPC Service Controls. You must also disable public IP for new\nand existing Cloud SQL instances within the VPC.\n\nTo either disallow or disable public IP on Cloud SQL instances:\n\n- Organization administrators can apply organization policies that disallow creating new instances with public IP. See [Configure the organization policy](/sql/docs/postgres/configure-org-policy#configuring_the_organization_policy).\n- Users who create Cloud SQL instances can configure the instances to use private IP instead of public IP. See [Disable public IP](/sql/docs/mysql/configure-ip#disable-public).\n\nCreate a service perimeter\n--------------------------\n\nDuring this procedure, you select the Cloud SQL projects that you want the\nVPC service perimeter to protect.\n| **Note:** Sometimes, a Cloud SQL instance enabled with CMEK has the KMS key hosted in a different cloud project. For this scenario, when you enable VPC-SC, you must add the KMS key hosting project to the security perimeter.\n\nTo create a service perimeter, follow the instructions in\n[Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters).\n\n### Add more instances to the service perimeter\n\nTo add existing Cloud SQL projects to the perimeter, follow the instructions\nin [Updating a service perimeter](/vpc-service-controls/docs/manage-service-perimeters#updating_a_service_perimeter).\n\n### Add the Cloud SQL and Cloud Storage APIs to the service perimeter\n\nTo mitigate the risk of your data being exfiltrated from Cloud SQL, for\nexample, using Cloud SQL import or export APIs, you must restrict both the\n**Google Cloud SQL Admin API** *and* the **Google Cloud Storage API**.\n| **Note:** You can only import or export data from a Cloud Storage bucket that is in a project that resides in the same service perimeter as Cloud SQL.\n\nTo add Cloud SQL and Cloud Storage APIs as restricted services: \n\n### Console\n\n1. In the Google Cloud console navigation menu, click **Security** , and then\n click **VPC Service Controls**.\n\n [Go to the VPC Service Controls page](https://console.cloud.google.com/security/service-perimeter)\n2. On the **VPC Service Controls** page, in the table, click the name of\n the service perimeter that you want to modify.\n\n3. Click **EDIT**.\n\n4. On the **Edit VPC Service Perimeter** page, click **ADD SERVICES**.\n\n5. Add **Cloud SQL Admin API** and **Cloud Storage API**.\n\n6. Click **Save**.\n\n### gcloud\n\n```bash\ngcloud access-context-manager perimeters update PERIMETER_ID \\\n--policy=POLICY_ID \\\n--add-restricted-services=sqladmin.googleapis.com,storage.googleapis.com\n```\n\nWhere:\n\n- \u003cvar translate=\"no\"\u003ePERIMETER_ID\u003c/var\u003e is the ID of the perimeter or the fully qualified identifier for the perimeter.\n- \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e is the ID of the access policy.\n\nFor reference information, see [`access-context-manager perimeters update`](/sdk/gcloud/reference/alpha/access-context-manager/perimeters/update).\n\nCreate an access level\n----------------------\n\nOptionally, to permit external access to protected resources inside a perimeter,\nyou can use *access levels*. Access levels apply only to requests for protected\nresources coming from outside the service perimeter. You can't use access levels\nto give protected resources or VMs permission to access data and services\noutside the perimeter.\n\nSee [Allowing access to protected resources from outside a perimeter](/vpc-service-controls/docs/use-access-levels)."]]
