Stay organized with collections Save and categorize content based on your preferences.
This page describes how you can use the VPC Service Controls troubleshooter to understand and diagnose issues that VPC Service Controls logs.
VPC Service Controls logs include details about requests to protected resources and the reason why VPC Service Controls denied the request. However, these details aren't always easily apparent and you might spend considerable time understanding the logs. You can use the VPC Service Controls troubleshooter to diagnose denials from a service perimeter. For information on violation reasons, see Debugging requests blocked by VPC Service Controls.
You can also use the troubleshooter to diagnose denials from a service perimeter that uses a dry-run configuration.
Before you beginTo troubleshoot a VPC Service Controls violation, make sure that you have the VPC Service Controls Troubleshooter Viewer IAM role (roles/accesscontextmanager.vpcScTroubleshooterViewer) at the organization level. This role doesn't let you modify perimeters or access levels.
The troubleshooter is available only in the Google Cloud console. You can access the troubleshooter using either the Logs Explorer or the VPC Service Controls page.
Using the Logs ExplorerBy using the Logs Explorer, you can move directly from a log entry for a VPC Service Controls denial to the troubleshooter.
To access the troubleshooter from a log entry, do the following:
Go to the Logs Explorer page in the Google Cloud console.
In the Logs Explorer, use the denial's unique ID to access the log entry.
In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.
From the VPC Service Controls page, you can troubleshoot a denial using its unique ID.
Before you begin, obtain the unique ID for the denial that you want to troubleshoot.
To access the troubleshooter from the VPC Service Controls page, do the following:
In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your organization. You can access the VPC Service Controls page only at the organization level.
On the VPC Service Controls page, click Troubleshoot.
On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique ID for the denial that you want to troubleshoot.
Click Troubleshoot.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-02 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4