VPC Service Controls improves your ability to mitigate the risk of unauthorized copying or transfer of data from Google Cloud-managed services.
With VPC Service Controls, you can configure security perimeters around the resources of your Google Cloud-managed services and control the movement of data across the perimeter boundary.
Using Artifact Registry with VPC Service Controls
If you are using Artifact Registry and Google Kubernetes Engine private clusters in a project within a service perimeter, you can access container images inside the service perimeter as well as Google Cloud-provided images.
Cached Docker Hub images stored onmirror.gcr.io are not included in the
service perimeter unless an egress rule is added to allow egress to the
Artifact Registry Docker cache that hosts mirror.gcr.io.
To use mirror.gcr.io within a service perimeter, add the following egress
rule:
- egressTo:
    operations:
    - serviceName: artifactregistry.googleapis.com
      methodSelectors:
      - method: artifactregistry.googleapis.com/DockerRead
    resources:
    - projects/342927644502
  egressFrom:
    identityType: ANY_IDENTITY
To learn about ingress and egress rules, see Ingress and egress rules.
You can access Artifact Registry using the IP addresses for the default Google APIs and services domains, or using these special IP addresses:
- 199.36.153.4/30(- restricted.googleapis.com)
- 199.36.153.8/30(- private.googleapis.com)
For details about these options, see
Configuring Private Google Access. For an example
configuration that uses 199.36.153.4/30 (restricted.googleapis.com),
see the documentation for registry access with a virtual IP.
For general instructions to add Artifact Registry to a service perimeter, see Creating a service perimeter.
Access images in gcr.io repositories
To access images in Artifact Registry gcr.io repositories, when setting
ingress or egress policies, use the identity type ANY_IDENTITY. You can't
use the identity types ANY_SERVICE_ACCOUNT or ANY_USER_ACCOUNT for images
in the gcr.io domain.
Using Artifact Analysis with VPC Service Controls
To learn how to add Artifact Analysis to your perimeter, see the securing Artifact Analysis in a service perimeter.