This page provides an overview of managed organization policy constraints and their interactions.
Policy enforcement dependencies
The enforcement of managed organization policy constraints for data stores
depends on several factors: the type of data source you are configuring, whether
your project is protected with VPC Service Controls, and whether your project is
included in the enforcedProjects parameter.
| Related policy or service | Description |
|---|---|
| Restrict allowed data sources for data connectors |
If you allow a data source, such as Google Drive or Gmail,
in the Restrict allowed data sources for data connectors managed
organization policy constraint, then the constraint automatically
permits connections to its well-known FQDNs. This permission means you
don't need to define these domains in the
Restrict egress domains for data connectors
managed policy constraint. For projects where the policy is enforced (VPCSC-enabled projects or projects listed in enforcedProjects), you must use the
Restrict egress domains for data connectors policy to explicitly
allow the necessary FQDNs for third-party data sources where FQDNs
aren't automatically allowed.
|
| Restrict egress domains for data connectors |
For projects where the policy is enforced (VPCSC-enabled projects or
projects listed in enforcedProjects), This managed
organization policy constraint lets you specify which
fully qualified domain names (FQDNs) are permitted when adding a
data store.
|
| Override the organization policy for Custom MCP data stores |
This managed organization policy constraint controls whether Custom
Managed Connector Platform (MCP) data sources can be used. Before you can create a Custom MCP data store, you must turn off the Disable custom MCP server connector
for Gemini Enterprise
managed constraint to enable Custom MCP.
|
| VPC Service Controls |
VPC Service Controls perimeters can protect your project. For more
information, see
Use VPC Service Controls.
Enforcement of this constraint also depends on whether your project is protected by a VPC Service Controls (VPCSC) perimeter. For more information, see VPCSC interaction and enforcement. |
VPCSC interaction and enforcement
The enforcement behavior of this constraint depends on your project's VPCSC state
and whether it's included in the organization policy constraint's
enforcedProjects parameter, as summarized in the following table:
| VPCSC state | Project included in enforcedProjects |
allowedEgressFqdns enforcement |
allowedDataSources enforcement |
|---|---|---|---|
| Enabled | Yes | Provisioning is blocked if the required domains aren't listed. | Provisioning is blocked if the data source isn't listed. |
| Enabled | No | Provisioning is blocked if the required domains aren't listed. | Provisioning is blocked if the data source isn't listed. |
| Not enabled | Yes | Provisioning is blocked if the required domains aren't listed. | Provisioning is blocked if the data source isn't listed. |
| Not enabled | No | Provisioning is allowed even if domains aren't listed. | Provisioning is allowed even if data source isn't listed. |
Example scenarios
To understand how these policies interact, consider the following examples.
Allow Google Drive with VPCSC protection
You want to let users create a Google Drive data store.
| Setup |
|---|
| The project is protected by a VPC Service Controls perimeter, and the VPCSC state is Enabled. |
| Requirement |
To create the data store, you must add
google_drive to the Restrict allowed data sources for data connectors
policy. |
| Why |
| The system allows the connection and automatically permits the well-known FQDNs for Google Drive. You don't need to update the Restrict egress domains for data connectors policy. |
Allowing a Custom MCP Server with VPCSC protection
You want to allow users to create a Custom MCP data store that connects to `api.cymbal.com`.
| Setup |
|---|
| The project is protected by a VPC Service Controls perimeter (VPCSC state: Enabled). |
| Requirement |
To create the data store and allow it to connect to
api.cymbal.com, you must:
|
| Why |
| When VPC Service Controls is enabled, policies are enforced automatically. Custom MCP requires that you explicitly allow FQDNs. |
Third-party data source (Jira) without VPCSC protection
An organization wants to allow users to create a data store for a third-party data source, Jira, in a project that is not subject to enforcement.
| Setup |
|---|
The project is not protected by a VPC Service Controls perimeter and is not listed
in enforcedProjects. |
| Requirement |
| No updates are required for the organization policies. |
| Why |
| Because standard enforcement is disabled, you don't need to explicitly allow the data source or its FQDNs. |