Networking, Identity & Private Connectivity

VPC Service Controls Blocks Request-Response Logging on Vertex AI

Two controls your security team wants — a data-exfiltration perimeter and a full prompt/completion log — are mutually exclusive on Vertex AI today. Better to discover that in planning than in production.

Claude 3P 101 · Updated July 2026 · Unofficial guide

VPC Service Controls (VPC-SC) is Google Cloud's data-exfiltration defense: you draw a service perimeter around projects and services, and data covered by those services cannot leave the perimeter. For Vertex AI, Google documents that a perimeter keeps online-inference requests and batch-inference results from leaving, and lists "Online inference", "Batch inference", and "Generative AI" as perimeter-supported services. When the perimeter includes Vertex AI, all public internet access to the instance is automatically blocked unless callers are allowlisted through access levels or ingress rules. For an enterprise running Claude on Vertex AI with sensitive data, it's a natural control to reach for.

But Google's VPC-SC documentation for Vertex AI carries a limitation that surprises many teams: request-response logging isn't available with VPC Service Controls.

Why this particular gap stings

Request-response logging is Vertex AI's mechanism for capturing prompts and model completions — the content-level record of what your applications sent to Claude and what came back. It matters more than it might sound: Anthropic recommends enabling 30-day rolling prompt/completion logging on this platform to track any model misuse, and notes that turning it on gives neither Google nor Anthropic access to your content. Many AI governance programs have adopted exactly that kind of content log as standard evidence.

So the collision is direct. The organizations most likely to want a VPC-SC perimeter — those handling sensitive data — are often the same organizations whose AI policy calls for content logging. Enable the perimeter, and the documented content-logging mechanism goes away.

What still works inside a perimeter

The gap is specific to content capture, not to auditability in general. Within the documented feature set you still have:

Honest framing for your reviewers: inside a VPC-SC perimeter, platform-side prompt/completion logging is unavailable per Google's documentation. Audit evidence comes from Data Access audit logs (call metadata) plus any content logging you implement in your own application layer.

Plan the trade-off before you lock down

The expensive failure mode is sequencing: a team ships Claude on Vertex AI with request-response logging enabled, governance signs off on that basis, and months later a security initiative wraps the environment in a perimeter — silently ending the log that governance depends on. To avoid it:

Where to go next

For the wider Vertex AI lockdown toolkit, pair the perimeter with the regional-endpoint org policy, and see prompt-log content privacy for how content logs should themselves be protected.

Sources