VPC Service Controls (VPC-SC) is Google Cloud's data-exfiltration defense: you draw a service perimeter around a set of projects and services, and API traffic across that boundary is denied unless a rule explicitly allows it. Google's Vertex AI documentation is direct about the goal — VPC-SC "can help you mitigate the risk of data exfiltration." For Claude workloads this matters because the payloads are exactly the data your security team worries about: prompts full of customer records, uploaded documents, and model outputs derived from both.
What a perimeter protects for Claude
When a perimeter protects Vertex AI, the artifacts kept from leaving include "requests for online inferences" and "results from a batch inference request" — that is, both your live Claude calls and the inputs/outputs of Google's Vertex batch prediction for Claude. The perimeter-supported service list covers online inference, batch inference, and generative AI on the platform. A stolen credential used from an attacker's laptop, or a misconfigured script in an out-of-perimeter project, gets a policy denial instead of your data.
The enforcement is blunt by design: once Vertex AI is among a perimeter's protected services, "all public internet access to your instance is automatically blocked" unless callers are explicitly allowlisted through access levels (attribute-based conditions such as corporate network ranges or device posture) and ingress rules (which principals and sources may enter the perimeter for which services).
Designing the perimeter
- Scope by project. Put the projects that run Claude workloads — and the projects holding the data those workloads read — inside one perimeter. A perimeter that includes the model but not the data source (or vice versa) just moves the breakage around.
- Route Google API traffic privately. Google's stated best practice is to use the restricted VIP with Private Service Connect for Google APIs, or Private Google Access, so workloads reach
aiplatform.googleapis.comover a private network path rather than the public internet. Details in Private Service Connect setup. - Write ingress rules for legitimate outsiders. CI systems, on-premises jobs, and partner integrations that must call Claude need explicit ingress allowances — enumerate them now rather than discovering them as outages.
Test in dry-run mode before enforcing
VPC-SC supports a dry-run configuration mode: the perimeter evaluates traffic and records what would be denied, without blocking anything. Use it. Run the candidate perimeter in dry-run for long enough to cover your real traffic patterns — including batch jobs, deploy pipelines, and month-end processes — then review the would-be denials. Every entry is either an exfiltration path you're glad to close or a legitimate flow that needs an ingress rule or access level before you enforce. Denials during and after rollout are visible in Policy Denied audit logs, which pairs naturally with the logging setup from the audit logs deep dive.
Enforcing without breaking developers (the ADC problem)
The most common post-enforcement casualty is the developer laptop. Application Default Credentials themselves keep working — VPC-SC doesn't change how the SDK authenticates — but a developer running AnthropicVertex from a coffee-shop network is now a caller outside the perimeter, and the request is denied regardless of their IAM roles. Decide deliberately how humans reach Claude after enforcement:
- an access level admitting your corporate network or VPN, so on-network laptops still work;
- or a policy that humans develop against an out-of-perimeter sandbox project while only production perimeters stay sealed;
- or in-perimeter development environments (cloud workstations, jump hosts) for teams handling the most sensitive data.
Where to go next
Pair the perimeter with org policy constraints for defense in depth, review private connectivity in VPC and private networking, and revisit endpoint strategy in the endpoint decision guide. Compliance posture is inherited from your cloud provider — confirm specifics with Google for your industry.