VPC Service Controls helps you reduce the risk of unauthorized copying or transferof data from your Google-managed services.

With VPC Service Controls, you can configure service perimeters around theresources of your Google-managed services and control the movement of dataacross the perimeter boundary.

Create a service perimeter

To create a service perimeter, follow theVPC Service Controls guide to creating a service perimeter.

When you specify which services you want to restrict, make sure to add all of thefollowing services:

• VMMigration API (vmmigration.googleapis.com)
• Pub/Sub API (pubsub.googleapis.com)
• Cloud Storage API (storage.googleapis.com)
• Cloud Logging API (logging.googleapis.com)
• Secret Manager API (secretmanager.googleapis.com)
• Compute Engine API (compute.googleapis.com)

Your service perimeter must restrict all these services in order forMigrate to Virtual Machines to work with VPC Service Controls.

You should ensure the project in which you enabled the VMMigration API with theTarget Projects are included in the perimeter.

Configure your Migrate Connector in a VPC-SC enabled environment

In an environment that employs VPC-SC, you need to make sure that your MigrateConnector can communicate with the Google Cloud APIs.

You can allow your Migrate Connector to access the VPC-SC environment usingseveral methods. Your available methods depend on the configuration of theVPC-SC environment and whether your Migrate Connector network traffic isrouted privately or publicly:

• If your Migrate Connector network traffic is routed toGoogle Cloud using VPN or interconnect to the project VPC-SC, seetheVPC-SC private connectivity documentation.
• If your Migrate Connector network traffic is routed using a publicnetwork, see theVPC-SC overview documentation.