Build VPC Service Controls perimeters with access levels and restricted services.
Last verified: May 2026
Build VPC Service Controls perimeters with access levels and restricted services.
Required Fields
perimeterNameresourcesresources[0]restrictedServicesrestrictedServices[0]Output will appear here...The GCP VPC Service Controls Perimeter Builder helps you define service perimeters that restrict data movement between Google Cloud services and the internet. VPC Service Controls create a security boundary around GCP resources to prevent data exfiltration even if IAM policies are misconfigured. This tool guides you through configuring protected services, access levels, ingress and egress rules, and perimeter bridges, generating the configuration for deployment via gcloud or Terraform.
VPC firewalls control network-level (IP/port) traffic between VM instances. VPC Service Controls operate at the Google API layer, restricting which projects and identities can access specific Google Cloud services. They protect against data exfiltration via API calls even when network connectivity is allowed.
The request is denied with a VPC Service Controls violation error. The violation is logged in Cloud Audit Logs with details about the denied request. You can use dry-run mode to test perimeter configurations by logging violations without actually blocking requests.
Your security team needs to prevent a repeat of last quarter's incident where leaked credentials let an attacker copy 5 TB of customer data from BigQuery to an external GCS bucket. The builder helps you create a perimeter around the production project with restricted services [bigquery.googleapis.com, storage.googleapis.com, etc.] and an egress rule allowing only the analytics pipeline service account to write to specific approved external buckets. You deploy in dry-run for 3 weeks, identify and approve 4 legitimate workflows, then enforce. Data exfiltration is now technically impossible via Google APIs, even with leaked credentials.
The builder generates a VPC Service Controls perimeter as a accessPolicies/{policyId}/servicePerimeters/{name} resource with: status.resources (projects in the perimeter), status.restrictedServices (Google APIs to protect), status.accessLevels (allowed external access conditions), status.ingressPolicies (incoming access rules), and status.egressPolicies (outgoing access rules). Output is generated as gcloud access-context-manager commands and Terraform google_access_context_manager_service_perimeter resources.
ALWAYS deploy VPC Service Controls in dry-run mode first (a separate `dryRun` perimeter). Dry-run logs violations without blocking traffic, so you discover all the legitimate workflows that would break BEFORE blocking them. Plan on 2-4 weeks of dry-run analysis before flipping to enforced mode.
VPC SC perimeters cover GCP API endpoints, NOT raw network traffic. A user inside the perimeter can still SSH to a VM outside the perimeter — but they can't call `gcloud storage cp` to a bucket outside. For network-level isolation, you also need VPC firewalls. They're complementary controls.
Egress rules with identity-based conditions are the right way to allow specific service accounts (e.g., a CI/CD pipeline) to access resources outside the perimeter. Don't use IP-based access levels for service-to-service auth — IPs change, identities don't.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.