Cloud Firestore Enterprise edition with MongoDB compatibility is now available!
Learn more.
VPC Service Controls
Stay organized with collections
Save and categorize content based on your preferences.
VPC Service Controls lets organizations define a perimeter around
Google Cloud resources to mitigate data exfiltration risks. With
VPC Service Controls, you create perimeters that protect the resources and data
of services that you explicitly specify.
Bundled Cloud Firestore services
The following APIs are bundled together in VPC Service Controls:
firestore.googleapis.comdatastore.googleapis.comfirestorekeyvisualizer.googleapis.com
When you restrict the firestore.googleapis.com service in a perimeter,
the perimeter also restricts the datastore.googleapis.com and
firestorekeyvisualizer.googleapis.com services.
Restrict the datastore.googleapis.com service
The datastore.googleapis.com service is bundled under the
firestore.googleapis.com service. To restrict the
datastore.googleapis.com
service, you must restrict the firestore.googleapis.com service
as follows:
App Engine legacy bundled services for Datastore
App Engine legacy bundled services for Datastore
don't support service perimeters. Protecting the Datastore
service with a service perimeter blocks traffic from
App Engine legacy bundled services. Legacy bundled services include:
Egress protection on import and export operations
Cloud Firestore with MongoDB compatibility supports VPC Service Controls but requires additional
configuration to get full egress protection on import and export operations.
You must use the Cloud Firestore service agent to authorize import and
export operations instead of the default App Engine service
account. Use the following instructions to view and configure the authorization
account for import and export operations.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[null,null,["Last updated 2025-08-25 UTC."],[],[],null,["\u003cbr /\u003e\n\n[VPC Service Controls](https://cloud.google.com/vpc-service-controls/) lets organizations define a perimeter around\nGoogle Cloud resources to mitigate data exfiltration risks. With\nVPC Service Controls, you create perimeters that protect the resources and data\nof services that you explicitly specify.\n\nBundled Cloud Firestore services\n\nThe following APIs are bundled together in VPC Service Controls:\n\n- `firestore.googleapis.com`\n- `datastore.googleapis.com`\n- `firestorekeyvisualizer.googleapis.com`\n\nWhen you restrict the `firestore.googleapis.com` service in a perimeter,\nthe perimeter also restricts the `datastore.googleapis.com` and\n`firestorekeyvisualizer.googleapis.com` services.\n\nRestrict the datastore.googleapis.com service\n\nThe `datastore.googleapis.com` service is bundled under the\n`firestore.googleapis.com` service. To restrict the\n`datastore.googleapis.com`\nservice, you must restrict the `firestore.googleapis.com` service\nas follows:\n\n- When creating a service perimeter using the Google Cloud console, add Cloud Firestore as the restricted service.\n- When creating a service perimeter using the Google Cloud CLI, use\n `firestore.googleapis.com` instead of `datastore.googleapis.com`.\n\n --perimeter-restricted-services=firestore.googleapis.com\n\nApp Engine legacy bundled services for Datastore\n\n[App Engine legacy bundled services for Datastore](https://cloud.google.com/appengine/docs/standard/python/bundled-services-overview)\ndon't support service perimeters. Protecting the Datastore\nservice with a service perimeter blocks traffic from\nApp Engine legacy bundled services. Legacy bundled services include:\n\n- [Java 8 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/java/datastore)\n- [Python 2 NDB client library for Datastore](https://cloud.google.com/appengine/docs/standard/python/ndb/creating-entities)\n- [Go 1.11 Datastore with App Engine APIs](https://cloud.google.com/appengine/docs/standard/go111/datastore)\n\nEgress protection on import and export operations\n\nCloud Firestore with MongoDB compatibility supports VPC Service Controls but requires additional\nconfiguration to get full egress protection on import and export operations.\nYou must use the Cloud Firestore service agent to authorize import and\nexport operations instead of the default App Engine service\naccount. Use the following instructions to view and configure the authorization\naccount for import and export operations."]]
