VPC Service Controls
VPC Service Controls lets organizations define a perimeter around Google Cloud resources to mitigate data exfiltration risks. With VPC Service Controls, you create perimeters that protect the resources and data of services that you explicitly specify.
Bundled Firestore services
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.comdatastore.googleapis.comfirestorekeyvisualizer.googleapis.com
When you restrict the firestore.googleapis.com service in a perimeter,
the perimeter also restricts the datastore.googleapis.com and
firestorekeyvisualizer.googleapis.com services.
Restrict the datastore.googleapis.com service
The datastore.googleapis.com service is bundled under the
firestore.googleapis.com service. To restrict the
datastore.googleapis.com
service, you must restrict the firestore.googleapis.com service
as follows:
- When creating a service perimeter using the Google Cloud console, add Firestore as the restricted service.
When creating a service perimeter using the Google Cloud CLI, use
firestore.googleapis.cominstead ofdatastore.googleapis.com.--perimeter-restricted-services=firestore.googleapis.com
App Engine legacy bundled services for Datastore
App Engine legacy bundled services for Datastore don't support service perimeters. Protecting the Datastore service with a service perimeter blocks traffic from App Engine legacy bundled services. Legacy bundled services include:
- Java 8 Datastore with App Engine APIs
- Python 2 NDB client library for Datastore
- Go 1.11 Datastore with App Engine APIs
Restricted VIP
To use Firestore with MongoDB compatibility with restricted VIP, you must add the following IP address ranges to the allowlist:
136.124.0.0/23for IPv42600:1904::/47for IPv6
These IP address ranges are used only by the Firestore service and are VPC Service Controls compliant.
Egress protection on import and export operations
Firestore with MongoDB compatibility supports VPC Service Controls but requires additional configuration to get full egress protection on import and export operations. You must use the Firestore service agent to authorize import and export operations instead of the default App Engine service account. Use the following instructions to view and configure the authorization account for import and export operations.