Overview of managed policy constraints

This page provides an overview of managed organization policy constraints and their interactions.

Policy enforcement dependencies

The enforcement of managed organization policy constraints for data stores depends on several factors: the type of data source you are configuring, whether your project is protected with VPC Service Controls, and whether your project is included in the enforcedProjects parameter.

Related policy or service Description
Restrict allowed data sources for data connectors If you allow a data source, such as Google Drive or Gmail, in the Restrict allowed data sources for data connectors managed organization policy constraint, then the constraint automatically permits connections to its well-known FQDNs. This permission means you don't need to define these domains in the Restrict egress domains for data connectors managed policy constraint.

For projects where the policy is enforced (VPCSC-enabled projects or projects listed in enforcedProjects), you must use the Restrict egress domains for data connectors policy to explicitly allow the necessary FQDNs for third-party data sources where FQDNs aren't automatically allowed.
Restrict egress domains for data connectors For projects where the policy is enforced (VPCSC-enabled projects or projects listed in enforcedProjects), This managed organization policy constraint lets you specify which fully qualified domain names (FQDNs) are permitted when adding a data store.
Override the organization policy for Custom MCP data stores This managed organization policy constraint controls whether Custom Managed Connector Platform (MCP) data sources can be used.

Before you can create a Custom MCP data store, you must turn off the Disable custom MCP server connector for Gemini Enterprise managed constraint to enable Custom MCP.
VPC Service Controls VPC Service Controls perimeters can protect your project. For more information, see Use VPC Service Controls.

Enforcement of this constraint also depends on whether your project is protected by a VPC Service Controls (VPCSC) perimeter. For more information, see VPCSC interaction and enforcement.

VPCSC interaction and enforcement

The enforcement behavior of this constraint depends on your project's VPCSC state and whether it's included in the organization policy constraint's enforcedProjects parameter, as summarized in the following table:

VPCSC state Project included in enforcedProjects allowedEgressFqdns enforcement allowedDataSources enforcement
Enabled Yes Provisioning is blocked if the required domains aren't listed. Provisioning is blocked if the data source isn't listed.
Enabled No Provisioning is blocked if the required domains aren't listed. Provisioning is blocked if the data source isn't listed.
Not enabled Yes Provisioning is blocked if the required domains aren't listed. Provisioning is blocked if the data source isn't listed.
Not enabled No Provisioning is allowed even if domains aren't listed. Provisioning is allowed even if data source isn't listed.

Example scenarios

To understand how these policies interact, consider the following examples.

Allow Google Drive with VPCSC protection

You want to let users create a Google Drive data store.

Setup
The project is protected by a VPC Service Controls perimeter, and the VPCSC state is Enabled.
Requirement
To create the data store, you must add google_drive to the Restrict allowed data sources for data connectors policy.
Why
The system allows the connection and automatically permits the well-known FQDNs for Google Drive. You don't need to update the Restrict egress domains for data connectors policy.

Allowing a Custom MCP Server with VPCSC protection

You want to allow users to create a Custom MCP data store that connects to `api.cymbal.com`.

Setup
The project is protected by a VPC Service Controls perimeter (VPCSC state: Enabled).
Requirement
To create the data store and allow it to connect to api.cymbal.com, you must:
  1. Turn off the Disable custom MCP server connector for Gemini Enterprise managed constraint.
  2. Add custom_mcp to the Restrict allowed data sources for data connectors policy.
  3. Add api.cymbal.com to the Restrict egress domains for data connectors policy.
Why
When VPC Service Controls is enabled, policies are enforced automatically. Custom MCP requires that you explicitly allow FQDNs.

Third-party data source (Jira) without VPCSC protection

An organization wants to allow users to create a data store for a third-party data source, Jira, in a project that is not subject to enforcement.

Setup
The project is not protected by a VPC Service Controls perimeter and is not listed in enforcedProjects.
Requirement
No updates are required for the organization policies.
Why
Because standard enforcement is disabled, you don't need to explicitly allow the data source or its FQDNs.