Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls
VPC Service Controls lets organizations define a perimeter around
Google Cloud resources to mitigate data exfiltration risks. With
VPC Service Controls, you create perimeters that protect the resources and data
of services that you explicitly specify.
Bundled Firestore services
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.com
datastore.googleapis.com
firestorekeyvisualizer.googleapis.com
When you restrict the firestore.googleapis.com service in a perimeter,
the perimeter also restricts the datastore.googleapis.com and
firestorekeyvisualizer.googleapis.com services.
Restrict the datastore.googleapis.com service
The datastore.googleapis.com service is bundled under the
firestore.googleapis.com service. To restrict the
datastore.googleapis.com
service, you must restrict the firestore.googleapis.com service
as follows:
When creating a service perimeter using the Google Cloud console, add
Firestore as the restricted service.
When creating a service perimeter using the Google Cloud CLI, use
firestore.googleapis.com instead of datastore.googleapis.com.
App Engine legacy bundled services for Datastore
don't support service perimeters. Protecting the Datastore
service with a service perimeter blocks traffic from
App Engine legacy bundled services. Legacy bundled services include:
To use Firestore with MongoDB compatibility with restricted VIP, you must configure connectivity to
the VIP domain used by Firestore with MongoDB compatibility. This domain and its IP addresses are
used only by the Firestore with MongoDB compatibility service and are VPC Service Controls
compliant.
Firestore with MongoDB compatibility supports VPC Service Controls but requires additional
configuration to get full egress protection on import and export operations.
You must use the Firestore service agent to authorize import and
export operations instead of the default App Engine service
account. Use the following instructions to view and configure the authorization
account for import and export operations.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["VPC Service Controls\n\n[VPC Service Controls](https://cloud.google.com/vpc-service-controls/) lets organizations define a perimeter around\nGoogle Cloud resources to mitigate data exfiltration risks. With\nVPC Service Controls, you create perimeters that protect the resources and data\nof services that you explicitly specify.\n\nBundled Firestore services\n\nThe following APIs are bundled together in VPC Service Controls:\n\n- `firestore.googleapis.com`\n- `datastore.googleapis.com`\n- `firestorekeyvisualizer.googleapis.com`\n\nWhen you restrict the `firestore.googleapis.com` service in a perimeter,\nthe perimeter also restricts the `datastore.googleapis.com` and\n`firestorekeyvisualizer.googleapis.com` services.\n\nRestrict the datastore.googleapis.com service\n\nThe `datastore.googleapis.com` service is bundled under the\n`firestore.googleapis.com` service. To restrict the\n`datastore.googleapis.com`\nservice, you must restrict the `firestore.googleapis.com` service\nas follows:\n\n- When creating a service perimeter using the Google Cloud console, add Firestore as the restricted service.\n- When creating a service perimeter using the Google Cloud CLI, use\n `firestore.googleapis.com` instead of `datastore.googleapis.com`.\n\n --perimeter-restricted-services=firestore.googleapis.com\n\nApp Engine legacy bundled services for Datastore\n\n[App Engine legacy bundled services for Datastore](https://cloud.google.com/appengine/docs/standard/python/bundled-services-overview)\ndon't support service perimeters. Protecting the Datastore\nservice with a service perimeter blocks traffic from\nApp Engine legacy bundled services. Legacy bundled services include:\n\n- [Java 8 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/java/datastore)\n- [Python 2 NDB client library for Datastore](https://cloud.google.com/appengine/docs/standard/python/ndb/creating-entities)\n- [Go 1.11 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/go111/datastore)\n\nRestricted VIP\n\nTo use Firestore with MongoDB compatibility with restricted VIP, you must configure connectivity to\nthe VIP domain used by Firestore with MongoDB compatibility. This domain and its IP addresses are\nused only by the Firestore with MongoDB compatibility service and are VPC Service Controls\ncompliant.\n\nFor instructions, see\n[Configure Private Google Access in Firestore with MongoDB compatibility](/firestore/mongodb-compatibility/docs/configure-private-google-access).\n\nEgress protection on import and export operations\n\nFirestore with MongoDB compatibility supports VPC Service Controls but requires additional\nconfiguration to get full egress protection on import and export operations.\nYou must use the Firestore service agent to authorize import and\nexport operations instead of the default App Engine service\naccount. Use the following instructions to view and configure the authorization\naccount for import and export operations."]]
