VPC Service Controls can help you mitigate the risk of data exfiltration from Dialogflow. Use VPC Service Controls to create a service perimeter that protects the resources and data that you specify. For example, when you use VPC Service Controls to protect Dialogflow, the following artifacts cannot leave your service perimeter:
- Agent data
- Detect intent requests and responses
The following limitations apply:
- If your agent does not integrate with Service Directory private network access, webhook calls are considered outside the service perimeter and are blocked when enabling VPC Service Controls. Limited endpoints are supported by Service Directory, refer to Service Directory for details.
- Using Cloud Functions for Dialogflow webhooks is currently not supported when in VPC Service Controls perimeter or in Service Directory.
Service perimeter creation
When you create a service perimeter,
include Dialogflow (
dialogflow.googleapis.com) as a protected service.
You aren't required to include any additional services
for Dialogflow to function.
However, Dialogflow won't be able to reach resources outside the perimeter,
such as files in a Cloud Storage bucket that is outside the perimeter.
For more information about creating a service perimeter, see Creating a service perimeter in the VPC Service Controls documentation.