Manage service perimeters
This page describes how you can manage service perimeters inVPC Service Controls. For details on creating new service perimeters, seeCreating service perimeters.
This page includes the following sections:
Before you begin
Set your default access policy for using the
gcloudcommand-line tool.-or-
Get the name of your policy. The policy name is requiredfor commands using the
gcloudcommand-line tool and making API calls. If you set a defaultaccess policy, you do not need to specify the policy for thegcloudcommand-line tool.
List and describe service perimeters
List all service perimeters in an organization:
Console
In the Google Cloud console navigation menu, clickSecurity, and thenclickVPC Service Controls.
On theVPC Service Controls page, in the table, click the name ofthe service perimeter that you want to view.
gcloud
To list your organization's service perimeters, use thelist command:
gcloudaccess-context-managerperimeterslistYou should see a list of the perimeters for your organization. For example:
NAME TITLE ETAGProdPerimeter Production Perimeter abcdefg123456789
To view details about a service perimeter, use thedescribe command:
gcloudaccess-context-managerperimeters\describePERIMETER_IDReplace the following:
- PERIMETER_ID is the ID of the service perimeter that youwant to obtain details about.
You should see the details about the perimeter. For example:
etag: abcdefg123456789name: accessPolicies/626111171578/servicePerimeters/ProdPerimeterstatus: accessLevels: - accessPolicies/626111171578/accessLevels/corpAccess resources: - projects/111584792408 restrictedServices: - bigquery.googleapis.com - storage.googleapis.comtitle: Production Perimeter
List service perimeters (formatted)
Using thegcloud command-line tool, you can obtain a list of your service perimeters in YAML orJSON format.
To get a formatted list of perimeters, use thelist command:
gcloudaccess-context-managerperimeterslist\--format=FORMAT
Replace the following:
FORMAT is one of the following values:
list(YAML format)json(JSON format)
The following output is an example list in YAML format:
-etag:abcdefg123456789name:accessPolicies/165717541651/servicePerimeters/On_Premstatus:{'resources':['projects/167410821371'],'restrictedServices':['bigquery.googleapis.com','storage.googleapis.com']}title:On Prem-etag:hijklmn987654321name:accessPolicies/165717541651/servicePerimeters/Privatespec:{'resources':['projects/136109111311'],'restrictedServices':['bigquery.googleapis.com','storage.googleapis.com','logging.googleapis.com']}status:{'resources':['projects/136109111311','projects/401921913171'],'restrictedServices':['bigquery.googleapis.com']}title:PrivateuseExplicitDryRunSpec:True-etag:pqrstuv123456789name:accessPolicies/165717541651/servicePerimeters/OnpremBridgeperimeterType:PERIMETER_TYPE_BRIDGEstatus:{'resources':['projects/167410821371']}title:OnpremBridge
The following output is an example list in JSON format:
[{"etag":"abcdefg123456789","name":"accessPolicies/165717541651/servicePerimeters/On_Prem","status":{"resources":["projects/167410821371"],"restrictedServices":["bigquery.googleapis.com","storage.googleapis.com"]},"title":"OnPrem"},{"etag":"hijklmn987654321","name":"accessPolicies/165717541651/servicePerimeters/Private","spec":{"resources":["projects/136109111311"],"restrictedServices":["bigquery.googleapis.com","storage.googleapis.com","logging.googleapis.com"]},"status":{"resources":["projects/136109111311","projects/401921913171"],"restrictedServices":["bigquery.googleapis.com"]},"title":"Private","useExplicitDryRunSpec":true},{"etag":"pqrstuv123456789","name":"accessPolicies/165717541651/servicePerimeters/OnpremBridge","perimeterType":"PERIMETER_TYPE_BRIDGE","status":{"resources":["projects/167410821371"]},"title":"OnpremBridge"}]
Update a service perimeter
This section describes how to update individual service perimeters. To updateall of your organization's service perimeters in one operation, seeMaking bulk changes to service perimeters.
You can perform the following tasks to update a service perimeter:
- Add new Google Cloud projects or remove projects from a service perimeter.
- Change the list of restricted Google Cloud services. You can also change the title and description for a service perimeter.
- Enable, add, remove, or disable VPC accessible services.
- Update the ingress and egress policies.
After you update a service perimeter, it can take up to 30 minutes for thechanges to propagate and take effect. During this time, the perimeter might blockrequests with the following error message:Error 403: Request is prohibited by organization's policy.
Console
In the Google Cloud console navigation menu, clickSecurity, and thenclickVPC Service Controls.
On theVPC Service Controls page, in the table, click the name ofthe service perimeter that you want to modify.
On theService perimeter details page, clickEdit.
On theEdit service perimeter page, update the service perimeter.
ClickSave.
gcloud
To add new resources to a perimeter, use theupdate command and specify theresources to add:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--add-resources=RESOURCESReplace the following:
PERIMETER_ID is the ID of the service perimeter that youwant to obtain details about.
RESOURCES is a comma-separated list of one or more projectnumbers or VPC network names. For example:
projects/12345or//compute.googleapis.com/projects/my-project/global/networks/vpc1.Only projects and VPC networks are allowed. Project format:projects/project_number.VPC format://compute.googleapis.com/projects/project-id/global/networks/network_name.
To update the list of restricted services, use theupdate command andspecify the services to add as a comma-delimited list:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--add-restricted-services=SERVICESReplace the following:
PERIMETER_ID is the ID of the service perimeter that youwant to obtain details about.
SERVICES is a comma-delimited list of one or more services.For example:
storage.googleapis.comorstorage.googleapis.com,bigquery.googleapis.com.
Add an access level to an existing perimeter
Once you havecreated an access level, youcan apply it to a service perimeter to control access.
After you update a service perimeter, it can take up to 30 minutes for thechanges to propagate and take effect. During this time, the perimeter might blockrequests with the following error message:Error 403: Request is prohibited by organization's policy.
Console
In the Google Cloud console navigation menu, clickSecurity, and thenclickVPC Service Controls.
On theVPC Service Controls page, in the table, click the name ofthe service perimeter that you want to modify.
On theService perimeter details page, clickEdit.
On theEdit service perimeter page, clickAccess levels.
ClickAdd access levels.
In theAdd access levels pane, select the checkboxes corresponding to the access levels that you wantto apply to the service perimeter.
ClickAdd selected access levels.
ClickSave.
gcloud
To add an access level to an existing service perimeter, use theupdate command:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--add-access-levels=LEVEL_NAMEReplace the following:
PERIMETER_ID is the ID of your service perimeter.
LEVEL_NAME is the name of the access level that you want toadd to the perimeter.
For more information about using access levels with a perimeter, seeAllowaccess to protected resources from outside aperimeter.
Delete a service perimeter
When you delete a service perimeter, the security controls associated with theperimeter no longer apply to the associated Google Cloudprojects. There isn't any other impact to the member Google Cloud projectsor associated resources.
Console
In the Google Cloud console navigation menu, clickSecurity, and thenclickVPC Service Controls.
On theVPC Service Controls page, in the table row corresponding to theperimeter that you want to delete, click.
gcloud
To delete a service perimeter, use thedelete command:
gcloudaccess-context-managerperimetersdeletePERIMETER_IDReplace the following:
- PERIMETER_ID is the ID of your service perimeter.
Limit access to services inside a perimeter with VPC accessible services
This section describes how to enable, add, remove, and disable VPC accessibleservices.
You can use the VPC accessible services feature to limit the set of servicesthat are accessible from network endpointsinside your service perimeter.You can add VPC accessible services to service perimeters but not toperimeter bridges.
To learn more about the VPC accessible services feature, read aboutVPC accessible services.
Enable VPC accessible services
To enable VPC accessible services for your service perimeter, use theupdate command:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--enable-vpc-accessible-services\--add-vpc-allowed-services=SERVICESReplace the following:
PERIMETER_ID is the ID of your service perimeter.
SERVICES is a comma-separated list of one or more servicesthat you want toallow networksinside your perimeter to access.Access to any services that arenot included in this list areprevented.
To quickly include the services protected by the perimeter, add
RESTRICTED-SERVICESto the list forSERVICES. You can includeother services in addition toRESTRICTED-SERVICES.
For example, to ensure that the VPC networks in your perimeter have access onlyto the Logging and Cloud Storage services, use the following command:
gcloudaccess-context-managerperimetersupdateexample_perimeter\--enable-vpc-accessible-services\--add-vpc-allowed-services=RESTRICTED-SERVICES,logging.googleapis.com,storage.googleapis.com\--policy=11271009391Add a service to the VPC accessible services
To add additional services to the VPC accessible services for yourperimeter, use theupdate command:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--add-vpc-allowed-services=SERVICESReplace the following:
PERIMETER_ID is the ID of your service perimeter.
SERVICES is a comma-separated list of one or more servicesthat you want toallow networksinside your perimeter to access.
To quickly include the services protected by the perimeter, add
RESTRICTED-SERVICESto the list forSERVICES. You can includeseparate services in addition toRESTRICTED-SERVICES.
For example, if you enable VPC accessible services and require that the VPCnetworks in your perimeter have access to the Pub/Sub service, usethe following command:
gcloudaccess-context-managerperimetersupdateexample_perimeter\--add-vpc-allowed-services=RESTRICTED-SERVICES,pubsub.googleapis.com\--policy=11271009391Remove a service from the VPC accessible services
To remove services from the VPC accessible services for your service perimeter,use theupdate command:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--remove-vpc-allowed-services=SERVICESReplace the following:
PERIMETER_ID is the ID of your service perimeter.
SERVICES is a comma-separated list of one or more servicesthat you want to remove from the list of services that networksinsideyour service perimeter are permitted to access.
For example, if you enable VPC accessible services and you no longer want the VPCnetworks in your perimeter to have access to the Cloud Storage service,use the following command:
gcloudaccess-context-managerperimetersupdateexample_perimeter\--remove-vpc-allowed-services=storage.googleapis.com\--policy=11271009391Disable VPC accessible services
To disable VPC service restrictions for your service perimeter, use theupdate command:
gcloudaccess-context-managerperimetersupdatePERIMETER_ID\--no-enable-vpc-accessible-services\--clear-vpc-allowed-servicesReplace the following:
- PERIMETER_ID is the ID of your service perimeter.
For example, to disable VPC service restrictions forexample_perimeter,use the following command:
gcloudaccess-context-managerperimetersupdateexample_perimeter\--no-enable-vpc-accessible-services\--clear-vpc-allowed-services\--policy=11271009391VPC accessible services and the Access Context Manager API
You can also use the Access Context Manager API to manage VPC accessible services.When you create or modify a service perimeter, use theServicePerimeterConfig object in the response body toconfigure your VPC accessible services.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.