Stay organized with collectionsSave and categorize content based on your preferences.
VPC Service Controls
VPC Service Controlslets organizations define a perimeter around
Google Cloud resources to mitigate data exfiltration risks. With
VPC Service Controls, you create perimeters that protect the resources and data
of services that you explicitly specify.
Bundled Firestore services
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.com
datastore.googleapis.com
firestorekeyvisualizer.googleapis.com
When you restrict thefirestore.googleapis.comservice in a perimeter,
the perimeter also restricts thedatastore.googleapis.comandfirestorekeyvisualizer.googleapis.comservices.
Restrict the datastore.googleapis.com service
Thedatastore.googleapis.comservice is bundled under thefirestore.googleapis.comservice. To restrict thedatastore.googleapis.comservice, you must restrict thefirestore.googleapis.comservice
as follows:
When creating a service perimeter using the Google Cloud console, add
Firestore as the restricted service.
When creating a service perimeter using the Google Cloud CLI, usefirestore.googleapis.cominstead ofdatastore.googleapis.com.
App Engine legacy bundled services for Datastoredon't support service perimeters. Protecting the Datastore
service with a service perimeter blocks traffic from
App Engine legacy bundled services. Legacy bundled services include:
To use Firestore with MongoDB compatibility with restricted VIP, you must configure connectivity to
the VIP domain used by Firestore with MongoDB compatibility. This domain and its IP addresses are
used only by the Firestore with MongoDB compatibility service and are VPC Service Controls
compliant.
Firestore with MongoDB compatibility supports VPC Service Controls but requires additional
configuration to get full egress protection on import and export operations.
You must use the Firestore service agent to authorize import and
export operations instead of the default App Engine service
account. Use the following instructions to view and configure the authorization
account for import and export operations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# VPC Service Controls\n====================\n\n[VPC Service Controls](https://cloud.google.com/vpc-service-controls/) lets organizations define a perimeter around\nGoogle Cloud resources to mitigate data exfiltration risks. With\nVPC Service Controls, you create perimeters that protect the resources and data\nof services that you explicitly specify.\n\nBundled Firestore services\n--------------------------\n\nThe following APIs are bundled together in VPC Service Controls:\n\n- `firestore.googleapis.com`\n- `datastore.googleapis.com`\n- `firestorekeyvisualizer.googleapis.com`\n\nWhen you restrict the `firestore.googleapis.com` service in a perimeter,\nthe perimeter also restricts the `datastore.googleapis.com` and\n`firestorekeyvisualizer.googleapis.com` services.\n\n### Restrict the datastore.googleapis.com service\n\nThe `datastore.googleapis.com` service is bundled under the\n`firestore.googleapis.com` service. To restrict the\n`datastore.googleapis.com`\nservice, you must restrict the `firestore.googleapis.com` service\nas follows:\n\n- When creating a service perimeter using the Google Cloud console, add Firestore as the restricted service.\n- When creating a service perimeter using the Google Cloud CLI, use\n `firestore.googleapis.com` instead of `datastore.googleapis.com`.\n\n --perimeter-restricted-services=firestore.googleapis.com\n\n### App Engine legacy bundled services for Datastore\n\n[App Engine legacy bundled services for Datastore](https://cloud.google.com/appengine/docs/standard/python/bundled-services-overview)\ndon't support service perimeters. Protecting the Datastore\nservice with a service perimeter blocks traffic from\nApp Engine legacy bundled services. Legacy bundled services include:\n\n- [Java 8 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/java/datastore)\n- [Python 2 NDB client library for Datastore](https://cloud.google.com/appengine/docs/standard/python/ndb/creating-entities)\n- [Go 1.11 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/go111/datastore)\n\nRestricted VIP\n--------------\n\nTo use Firestore with MongoDB compatibility with restricted VIP, you must configure connectivity to\nthe VIP domain used by Firestore with MongoDB compatibility. This domain and its IP addresses are\nused only by the Firestore with MongoDB compatibility service and are VPC Service Controls\ncompliant.\n\nFor instructions, see\n[Configure Private Google Access in Firestore with MongoDB compatibility](/firestore/mongodb-compatibility/docs/configure-private-google-access).\n\nEgress protection on import and export operations\n-------------------------------------------------\n\nFirestore with MongoDB compatibility supports VPC Service Controls but requires additional\nconfiguration to get full egress protection on import and export operations.\nYou must use the Firestore service agent to authorize import and\nexport operations instead of the default App Engine service\naccount. Use the following instructions to view and configure the authorization\naccount for import and export operations."]]
