Can VPC Service Controls block internet access for Artifact Registry remote repositories?

I’m trying to use Artifact Registry remote repositories (for both Docker and PyPI formats) to pull public images and libraries from the internet. My goal is to make these assets available to VM instances that only have private IP addresses.

My project is secured by a VPC Service Controls perimeter, and my instances cannot access the internet directly.

My question is: Could my VPC Service Controls configuration potentially block the Artifact Registry remote repository from fetching assets from public sources on the internet (like Docker Hub or PyPI)?

In other words, is the outbound traffic from the remote repository to the internet subject to denial by the VPC-SC perimeter?

Hi @shogo_s,

Yes, by default, your VPC Service Controls perimeter will block your Artifact Registry remote repository from fetching assets from public sources like Docker Hub or PyPI.

If requests are denied or blocked, review your egress policy and ensure it explicitly allows Artifact Registry to access external sources.

Here are some resources that may help with your configuration:

• Medium Blog by Melvin_tech: What is VPC-SC and Why you should care

• Engineering Blog: VPC-SC Artifact Registry

• Securing with VPC-SC