Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls with VMware Engine
To further protect your Google Cloud VMware Engine resources, you can protect them
using VPC Service Controls.
VPC Service Controls lets you define a security perimeter for your VMware Engine
resources. The service perimeter limits exporting and importing of resources and
their associated data to within the defined perimeter. Google recommends
creating your service perimeter and adding VMware Engine to the Restricted
Services before creating your first Private Cloud.
When you create a service perimeter, you select one or more projects to be
protected by the perimeter. Requests between projects within the same perimeter
remain unaffected. All existing APIs continue to function as long as the
resources involved are within the same service perimeter. Note the IAM
roles and policies still apply within a service perimeter.
When a service is protected by a perimeter, requests cannot be made by the
service inside the perimeter to any resource outside the perimeter. This
includes exporting resources from inside to outside the perimeter. For more
information, see Overview in the
VPC Service Controls documentation.
In order to ensure VPC Service Controls works for VMware Engine, you
must add the VMware Engine service to the Restricted Services within
VPC Service Controls.
Limitations
When adding existing VMware Engine, Private Clouds, Network
Policies, and VPC Peering to a VPC Service Perimeter, Google does not check
previously created resources to see if they still comply with the perimeter's
policies.
Expected behaviors
Creating VPC Peering to a VPC outside of the perimeter will be blocked.
Use of VMware Engine workload internet access service will be blocked.
Use of External IP address service will be blocked.
Only the restricted Google APIs IPs will be available - 199.36.153.4/30.
Add VMware Engine to allowed VPC Service Controls
To add the VMware Engine service to the allowed VPC Service Controls, you can
follow these steps in the Google Cloud console:
Click the name of the perimeter that you want to modify.
On the Edit VPC Service Perimeter page, click the Restricted Services tab.
Click Add Services.
In the Specify services to restrict section, check the field for
VMware Engine. If not already selected, check the fields for
Compute Engine API and Cloud DNS API.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# VPC Service Controls with VMware Engine\n=======================================\n\nTo further protect your Google Cloud VMware Engine resources, you can protect them\nusing [VPC Service Controls](/vpc-service-controls/docs/overview).\n\nVPC Service Controls lets you define a security perimeter for your VMware Engine\nresources. The service perimeter limits exporting and importing of resources and\ntheir associated data to within the defined perimeter. Google recommends\ncreating your service perimeter and adding VMware Engine to the Restricted\nServices before creating your first Private Cloud.\n\nWhen you create a service perimeter, you select one or more projects to be\nprotected by the perimeter. Requests between projects within the same perimeter\nremain unaffected. All existing APIs continue to function as long as the\nresources involved are within the same service perimeter. Note the IAM\nroles and policies still apply within a service perimeter.\n\nWhen a service is protected by a perimeter, requests cannot be made by the\nservice *inside* the perimeter to any resource *outside* the perimeter. This\nincludes exporting resources from inside to outside the perimeter. For more\ninformation, see [Overview](/vpc-service-controls/docs/overview) in the\nVPC Service Controls documentation.\n\nIn order to ensure VPC Service Controls works for VMware Engine, you\nmust add the VMware Engine service to the Restricted Services within\nVPC Service Controls.\n\nLimitations\n-----------\n\n- When adding existing VMware Engine, Private Clouds, Network Policies, and VPC Peering to a VPC Service Perimeter, Google does not check previously created resources to see if they still comply with the perimeter's policies.\n\nExpected behaviors\n------------------\n\n- Creating VPC Peering to a VPC outside of the perimeter will be blocked.\n- Use of VMware Engine workload internet access service will be blocked.\n- Use of External IP address service will be blocked.\n- Only the restricted Google APIs IPs will be available - `199.36.153.4/30`.\n\nAdd VMware Engine to allowed VPC Service Controls\n-------------------------------------------------\n\nTo add the VMware Engine service to the allowed VPC Service Controls, you can\nfollow these steps in the [Google Cloud console](https://console.cloud.google.com/):\n\n1. Go to the [VPC Service Controls](/console/security/service-perimeter) page.\n2. Click the name of the perimeter that you want to modify.\n3. On the **Edit VPC Service Perimeter page** , click the **Restricted Services** tab.\n4. Click **Add Services**.\n5. In the **Specify services to restrict** section, check the field for VMware Engine. If not already selected, check the fields for **Compute Engine API** and **Cloud DNS API**.\n6. Click **Add Services**.\n7. Click **Save**.\n\nWhat's next\n-----------\n\n- Learn more about [VPC Service Controls](/vpc-service-controls/docs/overview).\n- Learn about services supported by [restricted virtual IPs](/vpc-service-controls/docs/restricted-vip-services).\n- Read more about [service perimeter configuration steps](/vpc-service-controls/docs/service-perimeters#stages)."]]
