Stay organized with collectionsSave and categorize content based on your preferences.
VPC Service Controlslets organizations define a perimeter aroundGoogle Cloudresources to mitigate data exfiltration risks. With
VPC Service Controls, you create perimeters that protect the resources and data
of services that you explicitly specify.
BundledCloud Firestoreservices
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.com
datastore.googleapis.com
firestorekeyvisualizer.googleapis.com
When you restrict thefirestore.googleapis.comservice in a perimeter,
the perimeter also restricts thedatastore.googleapis.comandfirestorekeyvisualizer.googleapis.comservices.
Restrict the datastore.googleapis.com service
Thedatastore.googleapis.comservice is bundled under thefirestore.googleapis.comservice. To restrict thedatastore.googleapis.comservice, you must restrict thefirestore.googleapis.comservice
as follows:
When creating a service perimeter using the Google Cloud console, addCloud Firestoreas the restricted service.
When creating a service perimeter using theGoogle Cloud CLI, usefirestore.googleapis.cominstead ofdatastore.googleapis.com.
App Enginelegacy bundled services forDatastoredon't support service perimeters. Protecting theDatastoreservice with a service perimeter blocks traffic fromApp Enginelegacy bundled services. Legacy bundled services include:
Cloud Firestore with MongoDB compatibility supports VPC Service Controls but requires additional
configuration to get full egress protection on import and export operations.
You must use theCloud Firestoreservice agent to authorize import and
export operations instead of the defaultApp Engineservice
account. Use the following instructions to view and configure the authorization
account for import and export operations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["\u003cbr /\u003e\n\n[VPC Service Controls](https://cloud.google.com/vpc-service-controls/) lets organizations define a perimeter around\nGoogle Cloud resources to mitigate data exfiltration risks. With\nVPC Service Controls, you create perimeters that protect the resources and data\nof services that you explicitly specify.\n\nBundled Cloud Firestore services\n\nThe following APIs are bundled together in VPC Service Controls:\n\n- `firestore.googleapis.com`\n- `datastore.googleapis.com`\n- `firestorekeyvisualizer.googleapis.com`\n\nWhen you restrict the `firestore.googleapis.com` service in a perimeter,\nthe perimeter also restricts the `datastore.googleapis.com` and\n`firestorekeyvisualizer.googleapis.com` services.\n\nRestrict the datastore.googleapis.com service\n\nThe `datastore.googleapis.com` service is bundled under the\n`firestore.googleapis.com` service. To restrict the\n`datastore.googleapis.com`\nservice, you must restrict the `firestore.googleapis.com` service\nas follows:\n\n- When creating a service perimeter using the Google Cloud console, add Cloud Firestore as the restricted service.\n- When creating a service perimeter using the Google Cloud CLI, use\n `firestore.googleapis.com` instead of `datastore.googleapis.com`.\n\n --perimeter-restricted-services=firestore.googleapis.com\n\nApp Engine legacy bundled services for Datastore\n\n[App Engine legacy bundled services for Datastore](https://cloud.google.com/appengine/docs/standard/python/bundled-services-overview)\ndon't support service perimeters. Protecting the Datastore\nservice with a service perimeter blocks traffic from\nApp Engine legacy bundled services. Legacy bundled services include:\n\n- [Java 8 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/java/datastore)\n- [Python 2 NDB client library for Datastore](https://cloud.google.com/appengine/docs/standard/python/ndb/creating-entities)\n- [Go 1.11 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/go111/datastore)\n\nEgress protection on import and export operations\n\nCloud Firestore with MongoDB compatibility supports VPC Service Controls but requires additional\nconfiguration to get full egress protection on import and export operations.\nYou must use the Cloud Firestore service agent to authorize import and\nexport operations instead of the default App Engine service\naccount. Use the following instructions to view and configure the authorization\naccount for import and export operations."]]
