Using VPC Service Controls with App Hub

VPC Service Controls is a Google Cloud feature that lets you set up a service perimeter that creates a data transfer boundary around Google Cloud resources. VPC Service Controls provides more security for your App Hub resources such as mitigating the risk of data exfiltration. Using VPC Service Controls, you can add projects to service perimeters that protect applications, services, and workloads from requests that cross the perimeter.

App Hub resources are exposed on the apphub.googleapis.com API, which lets you perform operations, such as creation and deletion of applications, services, and workloads. You can set up VPC Service Controls with App Hub by restricting connectivity to this API surface.

We recommend that you protect all App Hub resources when creating a service perimeter.

App Hub supports the following resource types:

  • Application
  • Discovered service
  • Discovered workload
  • Service
  • Service project attachment (only for applications managed by a host project)
  • Workload

Applications in an app-enabled folder

When you enable application management on a folder, the following actions occur:

  1. Google creates a Google-managed project in the folder called a management project.
  2. The system enables the required APIs for application management on that project.

After the management project is created, you can also enable recommended APIs that provide more application-centric features.

To include the management project in a service perimeter, create or update your service perimeter so that the management project and the enabled APIs are included in the perimeter.

To learn about which APIs are required and recommended, see Required and recommended APIs.

Applications managed by a host project

You must set up VPC Service Controls on the App Hub host and service projects before you create an application and register services and workloads to the application. For more information, see Create a service perimeter.

What's next