VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter and create a data transfer boundary. You can use VPC Service Controls with Eventarc to help protect your services.
We recommend that you protect all services when creating a service perimeter.
Eventarc Advanced
- An Eventarc Advanced bus outside of a service perimeter can't receive events from Google Cloud projects inside the perimeter. An Eventarc Advanced bus inside of a perimeter can't route events to a consumer outside of the perimeter. - To publish to an Eventarc Advanced bus, the source of an event must be inside the same service perimeter as the bus.
- To consume a message, an event consumer must be inside the same service perimeter as the bus.
 
- You can verify VPC Service Controls support for the - Enrollment,- GoogleApiSource,- MessageBus, and- Pipelineresources by viewing platform logs on ingress.
Eventarc Standard
- In projects protected by a service perimeter, Eventarc Standard is bound by the same limitations as Pub/Sub: - When routing events to Cloud Run destinations, you can only create new Pub/Sub push subscriptions when the push endpoints are set to Cloud Run services with default - run.appURLs. Custom domains don't work.
- When routing events to Workflows destinations for which the Pub/Sub push endpoint is set to a Workflows execution, you can only create new Pub/Sub push subscriptions through Eventarc. Note that the service account used for push authentication for the Workflows endpoint must be included in the service perimeter. 
 
- VPC Service Controls blocks the creation of Eventarc triggers for internal HTTP endpoints. VPC Service Controls protection does not apply when routing events to such destinations. 
What's next
- To learn more about VPC Service Controls, see the overview and supported products and limitations. 
- For best practices for enabling VPC Service Controls, see Best practices for enabling VPC Service Controls. 
- For best practices for designing service perimeters, see Design and architect service perimeters. 
- To set up a service perimeter, see Create a service perimeter.