Configure VPC Service Controls
This page describes how to enable VPC Service Controls on a Cloud SQLproject. Before you begin, reviewOverview of VPC Service Controls.Also review theCloud SQL limitations when using VPC Service Controls.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.Make sure that billing is enabled for your Google Cloud project.
Enable the Compute Engine API.
Enable the Service Networking API.
- Add theIdentity and Access Management (IAM) roles to the user or service account you are using to set up and administer VPC Service Controls. SeeIAM Roles for Administering VPC Service Controls.
- Reviewlimitations when using VPC Service Controls with Cloud SQL.
- Optionally, add an organization policy that restricts public IP on instances in projects that use that policy. SeeConnection organization policies andConfiguring the organization policy.
Configure the Virtual Private Cloud (VPC) network
Perform the steps inSetting up private connectivity to Google APIs and services.
Note: If you're usingShared VPC, we recommend that you include thehost project in a service perimeter along with any projects that belong to the Shared VPC.Disallow or disable public IP for Cloud SQL instances
To constrain data within the VPC for your Cloud SQL project,do not allow connections to Cloud SQL instances from public IPs. IP-basedconnections bypass VPC Service Controls. You must also disable public IP for newand existing Cloud SQL instances within the VPC.
To either disallow or disable public IP on Cloud SQL instances:
- Organization administrators can apply organization policies that disallowcreating new instances with public IP. SeeConfigure the organization policy.
- Users who create Cloud SQL instances can configure the instances to useprivate IP instead of public IP. SeeDisable public IP.
Create a service perimeter
During this procedure, you select the Cloud SQL projects that you want theVPC service perimeter to protect.
Note: Sometimes, a Cloud SQL instance enabled with CMEK has the KMS keyhosted in a different cloud project. For this scenario, when you enable VPC-SC,you must add the KMS key hosting project to the security perimeter.To create a service perimeter, follow the instructions inCreating a service perimeter.
Add more instances to the service perimeter
To add existing Cloud SQL projects to the perimeter, follow the instructionsinUpdating a service perimeter.
Add the Cloud SQL and Cloud Storage APIs to the service perimeter
To mitigate the risk of your data being exfiltrated from Cloud SQL, forexample, using Cloud SQL import or export APIs, you must restrict both theGoogle Cloud SQL Admin APIand theGoogle Cloud Storage API.
Note: You can only import or export data from a Cloud Storage bucketthat is in a project that resides in the same service perimeter as Cloud SQL.To add Cloud SQL and Cloud Storage APIs as restricted services:
Console
In the Google Cloud console navigation menu, clickSecurity, and thenclickVPC Service Controls.
On theVPC Service Controls page, in the table, click the name ofthe service perimeter that you want to modify.
ClickEDIT.
On theEdit VPC Service Perimeter page, clickADD SERVICES.
AddCloud SQL Admin API andCloud Storage API.
ClickSave.
gcloud
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--policy=POLICY_ID\--add-restricted-services=sqladmin.googleapis.com,storage.googleapis.com
Where:
- PERIMETER_ID is the ID of the perimeter or the fully qualifiedidentifier for the perimeter.
- POLICY_ID is the ID of the access policy.
For reference information, seeaccess-context-manager perimeters update.
Create an access level
Optionally, to permit external access to protected resources inside a perimeter,you can useaccess levels. Access levels apply only to requests for protectedresources coming from outside the service perimeter. You can't use access levelsto give protected resources or VMs permission to access data and servicesoutside the perimeter.
SeeAllowing access to protected resources from outside a perimeter.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.