Some products and features are in the process of being renamed. Generative playbook and flow features are also being migrated to a single consolidated console. See the details.
Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls
can help you mitigate the risk of data exfiltration from Dialogflow.
Use VPC Service Controls to create a service perimeter
that protects the resources and data that you specify.
For example, when you use VPC Service Controls to protect Dialogflow,
the following artifacts cannot leave your service perimeter:
Agent data
Detect intent requests and responses
Limitations
The following limitations apply:
Integrations let third-party
applications directly connect to Agents regardless of if the Agent is within
a service perimeter.
Webhooks can be used to directly connect to a Cloud Function or Cloud Run
endpoint within the same service perimeter as the Agent
Any other type of webhook service is not supported and will be blocked.
Service perimeter creation
When you create a service perimeter,
include Dialogflow (dialogflow.googleapis.com) as a protected service.
You aren't required to include any additional services
for Dialogflow to function.
However, Dialogflow won't be able to reach resources outside the perimeter,
such as files in a Cloud Storage bucket that is outside the perimeter.
For more information about creating a service perimeter, see
Creating a service perimeter
in the VPC Service Controls documentation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eVPC Service Controls helps prevent data exfiltration from Dialogflow by creating a service perimeter that protects specified resources and data.\u003c/p\u003e\n"],["\u003cp\u003eWithin a service perimeter protecting Dialogflow, agent data, and detect intent requests and responses are secured and cannot leave.\u003c/p\u003e\n"],["\u003cp\u003eWebhooks within the same service perimeter can connect to Cloud Functions or Cloud Run, and webhooks can connect to services using Service Directory private network access.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating a service perimeter, include Dialogflow (\u003ccode\u003edialogflow.googleapis.com\u003c/code\u003e) as a protected service, but other services are optional for its core functionality.\u003c/p\u003e\n"],["\u003cp\u003eDialogflow cannot access resources outside the defined service perimeter, such as files in an external Cloud Storage bucket.\u003c/p\u003e\n"]]],[],null,["# Using VPC Service Controls\n\n[VPC Service Controls](/vpc-service-controls/docs/overview)\ncan help you mitigate the risk of data exfiltration from Dialogflow.\nUse VPC Service Controls to create a *service perimeter*\nthat protects the resources and data that you specify.\nFor example, when you use VPC Service Controls to protect Dialogflow,\nthe following artifacts cannot leave your service perimeter:\n\n- Agent data\n- Detect intent requests and responses\n\nLimitations\n-----------\n\nThe following limitations apply:\n\n- [Integrations](/dialogflow/cx/docs/concept/integration) let third-party applications directly connect to Agents regardless of if the Agent is within a service perimeter.\n- Webhooks can be used to directly connect to a Cloud Function or Cloud Run endpoint within the same service perimeter as the Agent\n- Webhooks can be used to connect to services integrated with [Service Directory private network access](/dialogflow/cx/docs/concept/webhook#sd)\n\nAny other type of webhook service is not supported and will be blocked.\n\nService perimeter creation\n--------------------------\n\nWhen you create a service perimeter,\ninclude Dialogflow (`dialogflow.googleapis.com`) as a protected service.\nYou aren't required to include any additional services\nfor Dialogflow to function.\nHowever, Dialogflow won't be able to reach resources outside the perimeter,\nsuch as files in a Cloud Storage bucket that is outside the perimeter.\n\nFor more information about creating a service perimeter, see\n[Creating a service perimeter](/vpc-service-controls/docs/create-service-perimeters)\nin the VPC Service Controls documentation."]]