GCP - VPC Peering vs. VPC Service Perimeters

VPC Peering and VPC Service Perimeters (VPC-SC) are 2 distinct concepts. This is a common point of confusion for Cloud Architects because they both deal with "boundaries," but they operate at completely different layers of the stack.

In Google Cloud, "VPC" is the foundation of your network. But when it comes to connecting services or securing data, you’ll encounter two terms that sound similar but solve opposite problems: VPC Peering and VPC Service Perimeters (VPC-SC).

If you are building an enterprise-grade environment, you likely need both. Here is the breakdown of how they differ.

1. VPC Peering: The Networking "Bridge"

VPC Peering is a networking tool. It is used to connect two different Virtual Private Clouds (VPCs) so that resources (like VMs) can talk to each other using Internal IP addresses.

Layer: It works at the Network Layer (Layer 3/4).
The Problem it Solves: "I have a database in VPC-A and a web server in VPC-B. I want them to talk over a private connection without going over the public internet."
Key Characteristic: It is all about connectivity. Once peered, the two networks behave as if they are one (though they remain administratively separate).
Analogy: A private tunnel built between two office buildings. People can walk between them without stepping outside.

2. VPC Service Perimeters: The Data "Wall"

VPC Service Perimeters (part of VPC Service Controls) are a security tool. They create a logical boundary around your Google Cloud resources to prevent data exfiltration.

Layer: It works at the API Layer (Layer 7).
The Problem it Solves: "I want to make sure my employees can’t copy data from my BigQuery table or Cloud Storage bucket to their own personal Gmail-linked project, even if they have the right IAM permissions."
Key Characteristic: It is all about access control and exfiltration prevention. It doesn't care about IP routing; it cares about which service is talking to which bucket.
Analogy: A high-security fence around a compound with a guard at the gate. Even if you have a key to the building (IAM), the guard won't let you leave the compound with a briefcase full of documents.

3. The Core Differences at a Glance

Feature	VPC Peering	VPC Service Perimeter (VPC-SC)
Primary Goal	Connectivity (Enable communication)	Security (Prevent data leaks)
What it connects	Two VPC Networks	GCP Projects and Managed Services
Operates on...	IP Addresses / Packets	API Calls (BigQuery, Storage, etc.)
Prevents...	Lack of connectivity	Data exfiltration / Insider threats
Managed via...	VPC Network settings	Access Context Manager
Impact on IAM	None (IAM still required)	It sits above IAM (IAM is not enough)

4. Do they work together?

Yes—and they usually should.

Imagine you have a Tenant Project running an AI model (like Vertex AI) that needs to access a dataset in your Data Project.

You use VPC Peering (or Private Service Connect) to allow the AI model to "reach" the network where the data lives.
You use a VPC Service Perimeter to ensure that once the AI model has the data, it cannot send that data to a random storage bucket outside your company’s control.

5. When to use which?

Use VPC Peering if: You have a multi-tier app spread across projects and need VMs in Project A to reach a SQL instance in Project B via private IP.
Use VPC Service Perimeters if: You are in a regulated industry (Finance, Healthcare) and need to ensure that data in your "Sensitive Data" project stays within that project’s boundaries, regardless of who has IAM "Owner" access.

Pro Tip: The "IAM is Not Enough" Rule

The most important thing to remember is that IAM permissions (who you are) are checked before VPC Service Perimeters (where you are).

Even if a user is a "Project Owner" and has full rights to a BigQuery table, if they try to access that table from a laptop that doesn't meet your Perimeter's security requirements (e.g., wrong IP range or unmanaged device), VPC-SC will block them.

Peering builds the road; the Perimeter sets the border control.