Retrieve VPC Service Controls errors from audit logs
This page describes how you can find VPC Service Controls errors usingCloud Logging.
VPC Service Controls helps mitigate data exfiltration risks by isolatingmulti-tenant Google Cloud services. For more information, seeOverview ofVPC Service Controls.
Determine if an error is due to VPC Service Controls
VPC Service Controls can modify the properties of Google Cloud andhave cascading effects across services. This can make it difficult to debugissues, especially if you don't know what to look for.
Theservice perimeter changes can take up to 30 minutes topropagate and take effect. When the changes have propagated, access to theservices restricted in the perimeter isn't allowed to cross the perimeterboundary unless explicitly authorized.
To determine if an error is related to VPC Service Controls, check whetheryou have enabled VPC Service Controls and applied it to the projects andservices you are attempting to use. To verify whether the projects and servicesare protected by VPC Service Controls, check the VPC Service Controlspolicy at that level of resource hierarchy.
Consider an example scenario in which you indirectly use a service that ismarked as arestricted service by VPC Service Controls in a project thatis inside a service perimeter. In such a case, VPC Service Controls might bedenying access.
Usually, services propagate error messages from their dependencies. If youencounter one of the following errors, it indicates a problem withVPC Service Controls.
Cloud Storage:
403: Request violates VPC Service Controls.BigQuery:
403: VPC Service Controls: Request is prohibited byorganization's policy.Other services:
403: Request is prohibited by organization's policy.
Use the error's unique ID
Unlike the Google Cloud console, thegcloud command-line tool returns a unique ID forVPC Service Controls errors. To locate log entries for other errors,filter thelogs using metadata.
An error generated by VPC Service Controls includes a unique ID that is used toidentify relevant audit logs.
To obtain information about an error using the unique ID, do the following:
In the Google Cloud console, go to theCloud Logging page for theproject inside the service perimeter that triggered the error.
In the search-filter field, enter the error's unique ID.
You can see the relevant log entry.
Filter logs using metadata
You can use theLogs Explorer to find errors related toVPC Service Controls. You can use theLogging query languageto retrieve the logs. For information about building queries, seeBuildingqueries by using the Logging query language.
Console
To obtain the last 24 hours of VPC Service Controls errors inLogging, do the following:
In the Google Cloud console, go to theCloud Logging page.
Make sure that you are in the project that is inside the serviceperimeter.
In the search-filter field, enter the following:
protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"In theResource menu, selectAudited Resource.
In the time-range selector menu, selectLast 24 hours.
Optional: To find the VPC Service Controls errors thathave occurred during a different period, use thetime-rangeselector menu.
gcloud
To obtain the last 24 hours of VPC Service Controls errors, run thefollowing command:
gcloudloggingread'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"'By default, the
readcommand is limited to the last 24 hours. To obtainVPC Service Controls logs for a different period, use one of thefollowing commands:To retrieve logs that were generated within a certain period from thecurrent date, run the following command:
gcloudloggingread\'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"'\--freshness=DURATIONDURATION is a formatted period of time. For more informationabout formatting, seerelative duration and time formatsfor gcloud CLI.
To retrieve all VPC Service Controls errors that have occurred in thepast week, run the following command:
gcloudloggingread\'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"'\--freshness=7dTo retrieve logs that were generated between specific dates, run thefollowing command:
gcloudloggingread\'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" ANDtimestamp>="START_DATETIME" ANDtimestamp<="END_DATETIME"'START_DATETIME andEND_DATETIME are formatteddate and time strings. For more information about formatting, seeabsolute date and time formatsfor gcloud CLI.
For example, to obtain all VPC Service Controls errors that have occurredbetween March 22, 2019 and March 26, 2019:
gcloudloggingread\'protoPayload.metadata.@type:"type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata" AND timestamp>="2019-03-22T23:59:59Z" AND timestamp<="2019-03-26T00:00:00Z"'
What's next
- Learn how todiagnose an access denial in violation analyzer and view its comprehensive evaluation report.
- Diagnose an access denial and view the classic report
- Troubleshoot common VPC Service Controls issues
- Troubleshoot common issues related to other Google Cloud services
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.