✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Google's agent platform has no enforcement layer beneath it. Until now.
The Gemini Enterprise Agent Platform runs agents in a Google-managed tenant project you cannot see into. Tool calls, remote MCP connections, and any calls to non-Google model endpoints are indistinguishable from legitimate work, with no inline enforcement point your security stack can observe. This VCA closes that gap: default-deny containment, a named shadow-model deny that fires before any permit rule, and east-west isolation. No HTTPS_PROXY. No agent changes. No redeploy.
The egress attack VPC Service Controls can't stop.
VPC Service Controls stops Google-to-Google exfiltration. It is blind to an agent calling api.openai.com, an attacker C2, or a compromised MCP server. An agent reaching any of those destinations looks identical to legitimate work on the wire — there is no default enforcement point. When prevention fails, containment decides the outcome.
Prompt injection
Malicious content in a retrieved document or tool response redirects the agent toward an attacker-controlled endpoint. No Google-native control intercepts this at the tool-call layer.
Shadow model call
Agent code or a compromised dependency calls api.openai.com or another unsanctioned provider. VPC Service Controls is blind to non-Google hosts. The socket opens.
Supply-chain compromise
A poisoned dependency on raw.githubusercontent.com serves malicious content alongside clean paths. SNI-only allow-listing cannot distinguish the two — same TLS endpoint, different paths.
Exfiltration attempt — blocked
Agent initiates HTTPS to attacker infrastructure. The server has permission for the action — not the destination. DCF default-deny fires before the socket opens. Logged with shape suffix in FlowIQ.
Full attribution logged
Pod identity, destination, timestamp, and human-readable rule name — visible in CoPilot FlowIQ immediately. Shape A rules carry suffix -a, Shape B carry -b.
Two shapes. One policy model. Zero developer compliance.
Enforcement runs at the network infrastructure layer, transparently beneath the agent runtime. No SDK change, no redeploy, no agent modification. The result is a governed boundary around the entire Gemini agent platform — egress control, shadow-model deny, and east-west isolation in a single policy model.
Shape A — Managed Runtime
Transparent L3 insertion via Private Service Connect interface
Agent Engine runs agents in a Google-managed tenant project. The insertion pattern forces all non-Google egress through a PSC-I network attachment into a customer VPC. Inside that VPC, the Aviatrix gateway inserts at Layer 3: the network-attachment subnet routes to the gateway, which performs NAT and acts as a transparent forward proxy. No HTTPS_PROXY, no SDK change, no redeploy. The agent makes the same calls it always made. The gateway is transparently in path and satisfies Google's RFC 1918 egress next-hop requirement under VPC Service Controls — at the route layer, not in the application.
Shape B — GKE Custom ADK Runtime
Kubernetes SmartGroups with selective TLS decryption
For GKE-hosted Agent Development Kit runtimes, enforcement uses Aviatrix Kubernetes SmartGroups keyed to k8s_namespace=agents and spoke in-path enforcement on pod egress. Shape B adds selective transparent TLS decryption scoped tightly to a destination FQDN SmartGroup — enabling URL-path filtering that Shape A cannot do (requires Controller 9.0+). The one optional container change: add the Aviatrix CA to the agent image trust store. Both shapes run under the same DCF policy model and CoPilot FlowIQ format.
Enforcement architecture
Every agent starts denied. Only approved destinations are reachable.
The DCF WebGroup allow-list defines sanctioned tool FQDNs, MCP server endpoints, and RAG destinations. Anything not on the list is blocked and logged. The shadow-model deny rule — placed first, ahead of all permit rules — logs every attempt to reach api.openai.com, *.anthropic.com, api.mistral.ai, *.perplexity.ai, and any other unsanctioned provider your governance names. VPC Service Controls is blind to these destinations. The DCF rule is not.
A compromised agent cannot reach adjacent workloads.
SmartGroup deny rules between the agent spoke and every other spoke in the fabric contain lateral movement. A prompt injection that compromises an agent cannot pivot to internal APIs, databases, or adjacent VPCs — the blast radius stops at the agent spoke. Standalone single-spoke deployments are supported as an on-ramp. The east-west deny activates when the deployment extends to transit topology.
Adding a tool endpoint is a pull request, not a change ticket.
The full DCF policy — WebGroup allow-lists, SmartGroup definitions, and the policy pack — is Terraform-native and lives in the same repository as the agent configuration. When an agent adds a new tool or MCP destination, the network policy updates in the same commit. The scenario set in the GitHub repo proves the architecture against OWASP LLM Top Ten and MITRE ATLAS in a live GCP deployment: prompt injection, DNS-tunneled exfiltration, supply-chain compromise, and shadow-model calls — all proven side-by-side.
DCF Ruleset — Rules in Priority Order.
First match wins. The shadow-model deny is placed first, ahead of all permit rules. Rule names carry a shape suffix: -a for the managed runtime, -b for GKE. Every rule logs to CoPilot DCF Monitor.
Rules (in priority order)
| Pri | Rule | Source | Destination | Action | Notes |
|---|---|---|---|---|---|
| 1 | vca-vertex-shadow-model-deny-a/b | sg-agent-psc-subnet / sg-agent-gke | wg-shadow-models | ✗ Deny + Log | Placed first. Blocks and logs every reach to api.openai.com, *.anthropic.com, api.mistral.ai, *.perplexity.ai, and any other unsanctioned providers. VPC-SC is blind to these — this rule is not. Visible in FlowIQ by rule name. |
| 2 | vca-vertex-allow-vertex-a/b | sg-agent-psc-subnet / sg-agent-gke | sg-vertex-psc | ✓ Permit | DECRYPT_NOT_ALLOWED — First-party Gemini model traffic via PSC endpoint. Never decrypted. |
| 3 | vca-vertex-allow-tools-a/b | sg-agent-psc-subnet / sg-agent-gke | wg-sanctioned-tools | ✓ Permit | Approved tool FQDNs, MCP server endpoints, RAG destinations. Operator-maintained WebGroup. Updated via PR. Optional DECRYPT_ALLOWED. |
| 4 | vca-vertex-deny-dns-a/b | sg-agent-psc-subnet / sg-agent-gke | Any, UDP/53 | ✗ Deny + Log | Blocks DNS-tunneled exfiltration to external resolvers. |
| 5 | vca-vertex-deny-eastwest-a/b | sg-agent-psc-subnet / sg-agent-gke | All other spokes | ✗ Deny + Log | East-west isolation. Blast radius stops at the agent VPC. Transit-attached deployments only. |
| 6 | vca-vertex-url-filter-b | sg-agent-gke | wg-supply-chain-ioc (URL path) | ✗ Deny + Log | GKE shape only. Requires Controller 9.0+. Selective TLS decryption scoped to wg-supply-chain-ioc only — compromised path blocked, clean path on same host returns HTTP 200. |
| 7 | vca-vertex-default-deny-a/b | sg-agent-psc-subnet / sg-agent-gke | Any unlisted FQDN / IP | ✗ Deny + Log | Default-deny catch-all. Must be last. Every deny logged to CoPilot FlowIQ with rule name and destination. |
SmartGroup and WebGroup objects
| Object | Type / Scope / Purpose |
|---|---|
sg-agent-psc-subnet | CIDR SmartGroup over the PSC-I network-attachment subnet. Minimum /28, two IPs per max_instances. Source identity for Shape A. |
sg-agent-gke | Kubernetes SmartGroup matching k8s_namespace=agents. Source identity for Shape B (GKE). |
sg-vertex-psc | CIDR SmartGroup over the Vertex AI Private Service Connect endpoint. The only sanctioned first-party model destination. |
wg-sanctioned-tools | WebGroup of approved tool FQDNs, MCP server endpoints, and RAG destinations. Operator-maintained. Updated via pull request against the Terraform repo. |
wg-shadow-models | WebGroup covering api.openai.com, *.anthropic.com, api.mistral.ai, *.perplexity.ai, and any other unsanctioned model providers named by governance. Referenced by the shadow-model deny rule placed at priority 1. |
wg-supply-chain-ioc | FQDN SmartGroup scoping selective TLS decryption. GKE shape only. Narrow-scoped to destinations where URL-path filtering is needed (e.g. raw.githubusercontent.com). All other rules: decrypt_policy=DECRYPT_NOT_ALLOWED. |
What this architecture governs — and what it does not.
This VCA governs what every Gemini Enterprise Agent Platform agent can communicate with and enforces that definition in-path at every connection. The following are explicitly out of scope — not because they are unimportant, but because they operate at a different layer.
Inference traffic to Gemini via PSC endpoint
First-party Gemini calls route via the Vertex AI PSC endpoint (RFC 1918) and never traverse the Spoke Gateway. This is correct by design — private endpoint traffic is not the exfiltration surface. Do not route PSC endpoint traffic through the gateway.
Internal GCP resource traffic (Cloud Storage, BigQuery, Spanner)
Private endpoint traffic stays inside the VPC and never traverses the Spoke Gateway. The exfiltration surface is external tool-call egress and non-Google model calls — that is what DCF controls.
Prompt content, tool arguments, model responses
Model Armor and Agent Gateway govern content at the request boundary. Aviatrix governs network reachability. Both are required. Semantic AI guardrail support is on the AgentGuard roadmap for late summer 2026 — when it ships, it adds to the same enforcement plane this VCA already establishes.
Managed runtime TLS decryption
Google manages the Agent Engine container image. There is no verified CA injection path today. Shape A runs SNI and domain policy only — which still gives you default-deny egress, the shadow-model deny, and full connection logging. Tracked for v2 via Agent Engine's build-time installation scripts. Not claiming until end-to-end validated.
Agent-to-agent (A2A) multi-agent fan-out
Not yet documented whether inter-agent hops between two Agent Engine agents traverse PSC-I or Google's backbone. Deferred to v2. Agent Gateway is Google's governance point for A2A today. Do not claim containment of inter-agent traffic until v2 ships.
VPC Service Controls, Model Armor, Secure Web Proxy
VPC-SC stops Google-to-Google exfiltration. Model Armor inspects prompts at the request boundary. Secure Web Proxy does FQDN allow-listing but is GCP-only and per-region with its own policy language. This VCA complements all three and covers the surface none of them own: non-Google egress, east-west movement, and cross-cloud policy consistency.
Everything your team needs.
Security, architecture, and deployment artifacts for every stakeholder. All assets ship alongside the Terraform blueprint.
Reference Architecture
Prerequisites, SmartGroup and WebGroup design, full DCF ruleset in priority order, PSC-I insertion mechanics, TLS decryption scope, GCP-specific preflight checklist, and known constraints. For platform engineers.
Download PDF →Threat Model & Enforcement
Vertex AI Agent Engine threat model, full kill chain with point of intervention, both deployment shapes, why VPC Service Controls is insufficient for non-Google egress, architectural boundaries, and compliance evidence for HIPAA, PCI-DSS, SOC 2, EU AI Act, and DORA. For security architects.
Download PDF →Field & Buyer Overview
Threat narrative, three things your current stack can't do — block a shadow-model call at the network, enforce egress policy across every cloud, and contain lateral movement — compliance proof points, and discovery questions.
Download PDF →Full Terraform Blueprint
Infrastructure as code: Aviatrix transit, workload spoke, gateway L3 insertion and NAT, Network Attachment, Vertex AI and googleapis.com PSC endpoints, Cloud DNS private zone and peering, SmartGroups, WebGroups, and policies. Includes a sample ADK agent and scenario probes. Policy-as-code in the same repo as the agent config.
Available soonAttack simulation
60-second lab recording. The DCF default-deny rule fires on a prompt-injection exfiltration attempt. A second scenario shows the shadow-model deny blocking a call to an unsanctioned provider — logged by name in CoPilot FlowIQ before the socket opens.
Available soonTrusted by enterprise security teams
SOC 2 Type II
Independently audited
ISO 27001
Certified
500+ enterprises
Including 10% of the Fortune 500
Zero data-plane access
Aviatrix never touches your traffic
Documented before you find them in production.
Lab-validated limitations and workarounds. Published upfront so your POC matches the docs — and platform engineers can plan before any GCP infrastructure is provisioned.
Controller 8.1+ required for SNI/domain baseline; 9.0+ for TLS decryption and URL-path filtering
Controller 8.1+ deploys the SNI and domain baseline — FQDN SmartGroups, Kubernetes SmartGroups. Controller 9.0+ is required for selective TLS decryption, URL-path filtering, SNI verification, and egress Suricata IDS/IPS. A customer on 8.1 can deploy Shape A and a domain-only Shape B now and add URL-path enforcement on upgrade.
Managed runtime TLS decryption not available in v1
Google manages the Agent Engine container image. There is no verified path today to install the Aviatrix CA into its trust store. Shape A runs SNI and domain policy only — default-deny egress, shadow-model deny, and full connection logging are all still active. Shape B (GKE) is where URL-path enforcement and payload IDS live. Tracked for v2 via Agent Engine's build-time installation scripts. Not claiming until end-to-end validated.
A2A multi-agent fan-out not covered in v1
Not yet documented whether inter-agent hops between two Agent Engine agents traverse PSC-I or stay on Google's backbone. Deferred to v2 pending documentation. Agent Gateway is Google's governance point for A2A today. Do not claim containment of inter-agent traffic until v2 ships.
GKE CRD-based DCF policy not yet end-to-end tested
Shape B leads with SmartGroup-based policy. CRD-based DCF policy on GKE is deferred. Use SmartGroup-based policy for all GKE shape deployments.
Agent Engine deployment without PSC-I has no in-path enforcement point
Agents deployed without a PSC-I network attachment have no customer-controlled enforcement point available. Configure Agent Engine with a PSC-I attachment before applying this VCA. Agents without PSC-I can use AgentGuard Shadow AI Discovery for inventory but cannot receive DCF enforcement.
Certificate pinning on decrypted destinations
TLS decryption is scoped tightly to wg-supply-chain-ioc by design. All other rules explicitly set decrypt_policy=DECRYPT_NOT_ALLOWED. First-party Google traffic — Gemini calls, Google APIs — is never decrypted. Do not widen the decryption scope without re-validating certificate pinning on the new destinations.
The Terraform is built.
The ruleset is on GitHub.
One terraform apply. Default-deny from minute one. The shadow-model deny fires at priority 1 — before any permit rule evaluates. Pick the path that matches your current Aviatrix footprint.
New to Aviatrix
Start with Enterprise — VCAs included free
Subscribe on AWS or Azure Marketplace, deploy Enterprise in under 15 minutes, then deploy this VCA on top. 30-day free trial — VCAs included at no extra cost.
Subscribe through AWS or Azure Marketplace · 30-day free trial · No contract
Already on Enterprise
Available soon on GitHub
Full Terraform, sample ADK agent, and OWASP/MITRE scenario probes. Managed runtime shape in ~25 minutes; full GKE shape in under 45. Destroy is one command, zero orphans.
Controller 8.1+ (SNI/domain baseline) · 9.0+ (TLS decryption + IDS/IPS) · 1 managed network per deployment · VCAs included · No agent changes required