VPC Service Controls lets organizations define a perimeter around Google Cloud resources to mitigate data exfiltration risks. With VPC Service Controls, you create perimeters that protect the resources and data of services that you explicitly specify.
Bundled Cloud Firestore services
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.comdatastore.googleapis.comfirestorekeyvisualizer.googleapis.com
When you restrict the firestore.googleapis.com service in a perimeter,
the perimeter also restricts the datastore.googleapis.com and
firestorekeyvisualizer.googleapis.com services.
Restrict the datastore.googleapis.com service
The datastore.googleapis.com service is bundled under the
firestore.googleapis.com service. To restrict the
datastore.googleapis.com
service, you must restrict the firestore.googleapis.com service
as follows:
- When creating a service perimeter using the Google Cloud console, add Cloud Firestore as the restricted service.
When creating a service perimeter using the Google Cloud CLI, use
firestore.googleapis.cominstead ofdatastore.googleapis.com.--perimeter-restricted-services=firestore.googleapis.com
App Engine legacy bundled services for Datastore
App Engine legacy bundled services for Datastore don't support service perimeters. Protecting the Datastore service with a service perimeter blocks traffic from App Engine legacy bundled services. Legacy bundled services include:
- Java 8 Datastore with App Engine APIs
- Python 2 NDB client library for Datastore
- Go 1.11 Datastore with App Engine APIs
Egress protection on import and export operations
Cloud Firestore with MongoDB compatibility supports VPC Service Controls but requires additional configuration to get full egress protection on import and export operations. You must use the Cloud Firestore service agent to authorize import and export operations instead of the default App Engine service account. Use the following instructions to view and configure the authorization account for import and export operations.