Adding Cloud Service Mesh (In-cluster) services to theservice perimeters

Note: This guide only supports Cloud Service Mesh with Istio APIs and doesnot support Google Cloud APIs. For more information see,Cloud Service Mesh overview.

If you have created aservice perimeter in yourorganization, you must add theCertificate Authority(Cloud Service Mesh certificate authority or Certificate Authority Service), Mesh Configuration,Stackdriver logging, Cloud Monitoring, and Cloud Trace services to theperimeter, in the following cases:

  • The cluster on which you have installed Cloud Service Mesh is in a projectthat is included in a service perimeter.
  • The cluster on which you have installed Cloud Service Mesh is aservice project in aShared VPC network.

By adding these services to the service perimeter, your Cloud Service Meshcluster can access these services. Access to the services is also restrictedwithin your cluster's Virtual Private Cloud (VPC) network.

Not adding the aforementioned services may cause the Cloud Service Meshinstallation to fail or cause functions to be missing. For example, if you don'tadd Cloud Service Mesh certificate authority to the service perimeter, the workloads can not getcertificates from the Cloud Service Mesh certificate authority.

Before you begin

The setup for the VPC Service Controls service perimeter is at theorganization level.Ensure that you have been granted theproper roles for administering VPC Service Controls.If you have multiple projects, you can apply the service perimeter to all ofthe projects byadding each project to the service perimeter.

Adding Cloud Service Mesh services to an existing service perimeter

Console

  1. Follow the steps inUpdating a service perimeterto edit the perimeter.
  2. On theEdit VPC Service Perimeter page, underServices toprotect, clickAdd Services.
  3. On theSpecify services to restrict dialog, clickFilterservices. Depending on your Certificate Authority (CA), enter eitherCloud Service Mesh Certificate Authority API orCertificate Authority Service API.
  4. Select the service's checkbox.
  5. ClickAdd Cloud Service Mesh Certificate Authority API.
  6. Repeat steps 2 - 5, to add:
    • Mesh Configuration API
    • Cloud Monitoring API
    • Cloud Trace API
  7. ClickSave.

gcloud

To update the list of restricted services, use theupdate command andspecify the services to add as a comma-delimited list:

Note: If your service mesh uses Certificate Authority Service, then replacemeshca.googleapis.com withprivateca.googleapis.com in the followingcommand.
gcloudaccess-context-managerperimetersupdatePERIMETER_NAME\--add-restricted-services=meshconfig.googleapis.com,meshca.googleapis.com,monitoring.googleapis.com,cloudtrace.googleapis.com,OTHER_SERVICES\--policy=POLICY_NAME

Where:

  • PERIMETER_NAME is the name of the service perimeter that youwant to update.

  • OTHER_SERVICES is an optional comma-separated listof one or more services to include in the perimeter in addition to theservices populated in the preceding command. For example:storage.googleapis.com,bigquery.googleapis.com.

  • POLICY_NAME is the numeric name of your organization's accesspolicy. For example,330193482019.

Refer toUpdating a service perimeterfor additional information.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.