Set up a service perimeter by using VPC Service Controls
Learn how to set up a service perimeter usingVPC Service Controls in the Google Cloud console.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.
Verify that billing is enabled for your Google Cloud project.
Enable the Access Context Manager API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
If you're using an existing project for this guide,verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.
Verify that billing is enabled for your Google Cloud project.
Enable the Access Context Manager API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
Required roles
To get the permissions that you need to complete this quickstart, ask your administrator to grant you theAccess Context Manager Editor (roles/accesscontextmanager.policyEditor) IAM role on your organization. For more information about granting roles, seeManage access to projects, folders, and organizations.
This predefined role contains the permissions required to complete this quickstart. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to complete this quickstart:
accesscontextmanager.accessLevels.listaccesscontextmanager.policies.createaccesscontextmanager.servicePerimeters.create
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Set up a VPC Service Controls perimeter
In the following sections, you specify the perimeter details, add projects and servicesto protect, and create the perimeter.
Add the VPC Service Controls perimeter details
In the Google Cloud console, go to theVPC ServiceControls page.
To create a new perimeter by using the default access policy,select your organization from the project selector menu.
If your organization doesn't have an access policy, follow these steps:
On theVPC Service Controls page, clickManage policies.
On theManage VPC Service Controls page, clickCreate.
On theCreate access policy page, in theAccess policy title field,enter
access_policy_1.ClickCreate access policy.
On theVPC Service Controls page, clickNew perimeter.
On theCreate a service perimeter page, in theTitle field, enter
perimeter_storage_services.ForPerimeter type andEnforcement mode, retain the default selections.
ClickContinue.
Add projects to the perimeter
To add projects to the perimeter, clickAdd projects.
In theAdd Projects pane, select the projects that you want to add tothe perimeter and then clickAdd selected projects.
ClickContinue.
Secure the BigQuery and Cloud Storage services within the perimeter
In theRestricted services pane, clickAdd services.
In theAdd services pane, select the checkboxes for the BigQueryand Cloud Storage APIs.
To locate the services, you can use the filter query.
ClickAdd selected services.
ClickCreate.
You just created a perimeter! You can see your perimeter listed on theVPC Service Controlspage. The perimeter might take up to 30 minutes to propagate and take effect. When the changes have propagated, accessto the BigQuery and Cloud Storage services is limited to the projects you added to the perimeter.
Additionally, the Google Cloud console interface for the BigQueryand Cloud Storage services that you protected with the perimeter might become partiallyor fully inaccessible.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
In the Google Cloud console, go to theVPC Service Controls page.
On theVPC Service Controls page, in the row corresponding to theperimeter that you created, clickDelete.
In the dialog box, clickDelete to confirm that you want todelete the perimeter.
What's next
- Learn more aboutcreating service perimeters.
- Learn aboutmanaging existing service perimeters.
- Learn about thelimitations of using specific services with VPC Service Controls.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.