To use Storage Transfer Service with VPC Service Controls, the following items need
to be located within the same service perimeter:
The project used to create on-premises transfer jobs
The destination Cloud Storage bucket.
Supported configurations
Use either of the following methods to configure transfer agents to
work with VPC Service Controls:
If transfer agents must remain outside of the service perimeter that
contains your Cloud Storage bucket and Storage Transfer Service project,
add the agents to an access level.
This method is easier to set up, and allows transfer agents to access
Google Cloud resources inside and outside the service perimeter.
If transfer agents can be added to the service perimeter that contains
your Cloud Storage bucket and Storage Transfer Service project,
configure Private Google Access with VPC Service Controls
for the on-premises network used by transfer agents.
This method requires more steps to complete, and transfer agents are
able to access only the Google Cloud resources within the service
perimeter.
Adding agents to an access level
To add transfer agents to an access level:
Determine how you will add agents to an
access level: by IP address
or by service accounts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[],[],null,["# Configure VPC Service Controls for file system transfers\n\nStorage Transfer Service supports on-premises transfers to Cloud Storage\nbuckets protected by VPC Service Controls, under the following conditions:\n\n- Creating a transfer with\n [Storage Transfer Service API](/storage-transfer/docs/reference/rest) protects all\n transferred data.\n\n- Creating a transfer with Google Cloud console protects only file contents. File\n metadata, such as file names and file sizes, are not protected.\n\nThis guide describes the setup required to use Storage Transfer Service to transfer to\nCloud Storage buckets within security perimeters.\n\nTo learn more about VPC Service Controls, see\n[Overview of VPC Service Controls](/vpc-service-controls/docs/overview).\n\nFor information about using VPC Service Controls with Storage Transfer Service, see\n[Using Storage Transfer Service with VPC Service Controls](/storage-transfer/docs/transfer-with-vpc-sc).\n\nPrerequisites\n-------------\n\nTo use Storage Transfer Service with VPC Service Controls, the following items need\nto be located within the same service perimeter:\n\n- The project used to create on-premises transfer jobs\n- The destination Cloud Storage bucket.\n\nSupported configurations\n------------------------\n\nUse either of the following methods to configure transfer agents to\nwork with VPC Service Controls:\n\n- If transfer agents must remain outside of the service perimeter that\n contains your Cloud Storage bucket and Storage Transfer Service project,\n [add the agents to an access level](#adding-agents-to-access-level).\n\n This method is easier to set up, and allows transfer agents to access\n Google Cloud resources inside and outside the service perimeter.\n | **Important:** This option does not prevent transfers to buckets outside of the service perimeter. If you are concerned about transfers from on-premises to Cloud Storage buckets outside of the service perimeter, you need to [configure Private Google Access with VPC Service Controls](#private-access-with-vpc-sc) to prevent agents from accessing buckets outside of the service perimeter.\n- If transfer agents can be added to the service perimeter that contains\n your Cloud Storage bucket and Storage Transfer Service project,\n [configure Private Google Access with VPC Service Controls](#private-access-with-vpc-sc)\n for the on-premises network used by transfer agents.\n\n This method requires more steps to complete, and transfer agents are\n able to access only the Google Cloud resources within the service\n perimeter.\n\n### Adding agents to an access level\n\nTo add transfer agents to an access level:\n\n1. Determine how you will add agents to an\n [access level](/vpc-service-controls/docs/use-access-levels): by IP address\n or by service accounts.\n\n2. Add the agents to an access level:\n\n - To add agents' IP addresses to an access level, follow the instructions\n in\n [Limit access on a corporate network](/access-context-manager/docs/create-basic-access-level#corporate-network-example).\n\n - To add agents' service account to an access level, follow the\n instructions in\n [Limit access by user or service account](/access-context-manager/docs/create-basic-access-level#members-example).\n\n### Using Private Google Access with VPC Service Controls\n\nTo use Private Google Access with VPC Service Controls:\n\n1. [Create a service perimeter](/vpc-service-controls/docs/create-service-perimeters#creating_a_service_perimeter)\n to restrict the following services:\n\n - Cloud Storage\n - Storage Transfer Service\n2. [Configure Private Google Access for on-premises hosts](/vpc/docs/configure-private-google-access-hybrid).\n\n3. [Create transfer jobs](/storage-transfer/docs/managing-on-prem-jobs#create-transfer) in a project\n that is within the service perimeter.\n\n### Troubleshooting\n\nTo troubleshoot errors, see\n[Troubleshooting VPC Service Controls errors](/storage-transfer/docs/troubleshooting-on-prem#vpcsc)."]]
