Are like firewalls - Firewall rules allow/block based on IP addresses - VPC service controls allow/block based on a project perimeter

For e.g. to Ensure that cloud storage buckets can be accessed from an on premises CIDR Block only - and no other networks.

Also read More on VPC Service Controls

Adds a Networking Context to the Storage Buckets (to ALL storage buckets - cause it works at the project level)

Ordinarily, IAM controls the perimeter of access of a storage bucket. However, VPC service controls do not rely on IAM. They are like FW Rules - in that they work at the network level.

If not IAM, then how do users get access to a controlled resource inside a perimeter

Context Aware Rules (Ingress Rules) need to be defined in this case. This allows you to grant access to specific IP addresses

Types of Perimeters for VPC Service Controls

A VPC Service Perimeter's access can be one of 4 types

  1. Perimeter Bridge - Service to Service Perimeter Access
  2. External Ingress Access
  3. Egress to External Targets
  4. Access Levels

Access Levels define a way to protect data per data classification. E.g. - a HIGH access level can be created and tied to data in a specific storage bucket or compute instance (persistent disk).

Summary

This is short overview of what GCP's VPC Service Controls are about. An easy way to think about them is as firewall rules - that protect resources within a project.