Configure Private Google Access in Firestore with MongoDB compatibility

This page describes how to enable and configure Private Google Access in Firestore with MongoDB compatibility.

About Private Google Access in Firestore with MongoDB compatibility

By default, when a Compute Engine VM lacks an external IP address assigned to its network interface, it can only send packets to other internal IP address destinations. You can allow these VMs to connect to the set of external IP addresses used by the Firestore with MongoDB compatibility service by enabling Private Google Access on the subnet used by the VM's network interface.

Applicable services and protocols

Instructions in this guide apply only to Firestore with MongoDB compatibility.
The default and VIP domains used by the Firestore with MongoDB compatibility and their IP ranges support only the TpcProxy MongoDB protocol. All other protocols aren't supported.

Network requirements

A VM interface can send packets to the external IP addresses of Google APIs and services using Private Google Access if all these conditions are met:

The VM interface is connected to a subnet where Private Google Access is enabled.
The VM interface doesn't have an external IP address assigned.
The source IP address of packets sent from the VM matches one of the following IP addresses.
- The VM interface's primary internal IPv4 address
- An internal IPv4 address from an alias IP range

A VM with an external IPv4 address assigned to its network interface doesn't need Private Google Access to connect to Google APIs and services. However, the VPC network must meet the requirements for accessing Google APIs and services.

IAM permissions

Project owners, editors, and IAM principals with the Network Admin role can create or update subnets and assign IP addresses.

For more information on roles, read the IAM roles documentation.

Logging

Cloud Logging captures all API requests made from VM instances in subnets that have Private Google Access enabled. Log entries identify the source of the API request as an internal IP address of the calling instance.

You can configure daily usage and monthly rollup reports to be delivered to a Cloud Storage bucket. See the Viewing Usage Reports page for details.

Configuration summary

The following table summarizes the different ways that you can configure Private Google Access in Firestore with MongoDB compatibility. For more detailed instructions information, see Network configuration.

Domain option IP ranges DNS configuration Routing configuration Firewall configuration

Domain option	IP ranges	DNS configuration	Routing configuration	Firewall configuration
Default domain (`firestore.goog`) The default domains are used when you don't configure DNS records for `restricted.firestore.goog`.	`136.124.0.0/23`	You access the Firestore with MongoDB compatibility service through its public IP addresses, so no special DNS configuration is required.	Check that your VPC network can route traffic to the IP address ranges that are used by the Firestore with MongoDB compatibility service. Basic configuration: Confirm that you have default routes with next hop `default-internet-gateway` and a destination range of `0.0.0.0/0`. Create those routes if they are missing. Custom configuration: Create routes to the `136.124.0.0/23` IP address range.	Check that your firewall rules allow egress to the `136.124.0.0/23` IP address range. The default allow egress firewall rule allows this traffic, if there is no higher priority rule that blocks it.
`restricted.firestore.goog` Use `restricted.firestore.goog` to access the Firestore with MongoDB compatibility service by using a set of IP addresses only routable from within Google Cloud. Can be used in VPC Service Controls scenarios.	`199.36.153.2/31`	Configure DNS records to send requests to the `199.36.153.2/31` IP address range.	Check that your VPC network has routes to the `199.36.153.2/31` IP address range.	Check that your firewall rules allow egress to the `199.36.153.2/31` IP address range.

Default domain (firestore.goog)

The default domains are used when you don't configure DNS records for restricted.firestore.goog.

136.124.0.0/23

You access the Firestore with MongoDB compatibility service through its public IP addresses, so no special DNS configuration is required.

Check that your VPC network can route traffic to the IP address ranges that are used by the Firestore with MongoDB compatibility service.

Basic configuration: Confirm that you have default routes with next hop default-internet-gateway and a destination range of 0.0.0.0/0. Create those routes if they are missing.
Custom configuration: Create routes to the 136.124.0.0/23 IP address range.

Check that your firewall rules allow egress to the 136.124.0.0/23 IP address range.

The default allow egress firewall rule allows this traffic, if there is no higher priority rule that blocks it.

restricted.firestore.goog

Use restricted.firestore.goog to access the Firestore with MongoDB compatibility service by using a set of IP addresses only routable from within Google Cloud. Can be used in VPC Service Controls scenarios.

199.36.153.2/31

Configure DNS records to send requests to the 199.36.153.2/31 IP address range.

Check that your VPC network has routes to the 199.36.153.2/31 IP address range.

Check that your firewall rules allow egress to the 199.36.153.2/31 IP address range.

Network configuration

This section describes how to configure your network to access the Firestore with MongoDB compatibility using Private Google Access.

DNS configuration

Unlike other Google APIs, the Firestore with MongoDB compatibility API uses different domain names and IP addresses for Private Google Access:

restricted.firestore.goog enables API access to the Firestore with MongoDB compatibility API.
- IP addresses: 199.36.153.2 and 199.36.153.3.
- Because Firestore with MongoDB compatibility is compliant with VPC Service Controls, you can use this domain in VPC Service Controls scenarios.

To create a DNS zone and records for Firestore with MongoDB compatibility:

Create a private DNS zone for firestore.goog.

Consider creating a Cloud DNS private zone for this purpose.
In the firestore.goog zone, create the following records:
1. An A record for restricted.firestore.goog that points to the following IP addresses: 199.36.153.2 and 199.36.153.3.
2. A CNAME record for *.firestore.goog that points to restricted.firestore.goog.
To create these records in Cloud DNS, see add a record.

Routing configuration

Your VPC network must have appropriate routes whose next hops are the default internet gateway. Google Cloud doesn't support routing traffic to Google APIs and services through other VM instances or custom next hops. Despite being called default internet gateway, packets sent from VMs in your VPC network to Google APIs and services remain within Google's network.

If you select the default domain option, your VM instances connect to the Firestore with MongoDB compatibility service using the following public IP address range: 136.124.0.0/23 . These IP addresses are publicly routable, but the path from a VM in a VPC network to those addresses remains within Google's network.
Google doesn't publish routes on the internet to any of the IP addresses used by the restricted.firestore.goog domain. Consequently, this domain can only be accessed by VMs in a VPC network or on-premises systems connected to a VPC network.

If your VPC network contains a default route whose next hop is the default internet gateway, you can use that route to access the Firestore with MongoDB compatibility service, without needing to create custom routes. See routing with a default route for details.

If you have replaced a default route (destination 0.0.0.0/0 or ::0/0) with a custom route whose next hop is not the default internet gateway, you can meet the routing requirements for the Firestore with MongoDB compatibility service using custom routing instead.

Routing with a default route

Each VPC network contains an IPv4 default route (0.0.0.0/0) when it is created.

The default route provides a path to the IP addresses for the following destinations:

Default domain (firestore.goog): 136.124.0.0/23
restricted.firestore.goog: 199.36.153.2/31

For Google Cloud console and Google Cloud CLI instructions on how to check the configuration of a default route in a given network, see Configure Private Google Access.

Routing with custom routes

As an alternative to a default route, you can use custom static routes, each having a more specific destination, and each using the default internet gateway next hop. The destination IP addresses for the routes depend on the domain that you choose:

Default domain (firestore.goog): 136.124.0.0/23
restricted.firestore.goog: 199.36.153.2/31

For Google Cloud console and Google Cloud CLI instructions on how to check the configuration of custom routes in a given network, see Configure Private Google Access.

Firewall configuration

The firewall configuration of your VPC network must allow access from VMs to the IP addresses used by the Firestore with MongoDB compatibility service. The implied allow egress rule satisfies this requirement.

In some firewall configurations, you need to create specific egress allow rules. For example, suppose you've created an egress deny rule that blocks traffic to all destinations (0.0.0.0 for IPv4). In that case, you must create one egress allow firewall rule whose priority is higher than the egress deny rule for each IP address range used by the the domain that you choose:

Default domain (firestore.goog: 136.124.0.0/23
restricted.firestore.goog: 199.36.153.2/31

To create firewall rules, see Creating firewall rules. You can limit the VMs to which the firewall rules apply when you define the target of each egress allow rule.

Private Google Access configuration

You can enable Private Google Access after you've met the network requirements in your VPC network. For Google Cloud console and Google Cloud CLI instructions, follow the steps outlined in Enable Private Google Access.