Configure security for Private Service Connect interfaces

This page describes how producer network administrators can manage security in VPC networks that use Private Service Connect interfaces.

Because a Private Service Connect interface exists in a consumer Private Service Connect network, a producer organization does not control firewall rules that apply directly to the interface. If a producer organization wants to ensure that consumer workloads cannot initiate traffic to VMs in the producer network, or that only selected consumer workloads can initiate traffic, they must define security policies in the guest OS of their interface's VM.

Block consumer-to-producer ingress

You can use iptables to configure a Private Service Connect interface to block ingress traffic from a consumer network, but still allow egress traffic from the producer network. This configuration is illustrated by figure 1.

Consumer traffic is blocked from ingress through a Private Service Connect interface, but producer egress traffic is allowed (click to enlarge).

To configure a Private Service Connect interface to block ingress traffic from the consumer network but allow egress traffic from the producer network, do the following:

Ensure that firewall rules are configured to allow ingress SSH connections to your Private Service Connect interface's VM.
Connect to the VM.
If the iptables command isn't available, install it.
Allow consumer reply traffic to ingress into the Private Service Connect interface:
```
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -i OS_INTERFACE_NAME
```
Replace OS_INTERFACE_NAME with the guest OS name for your Private Service Connect interface, for example, ens5.
Block consumer-initiated traffic from ingressing through the Private Service Connect interface:
```
sudo iptables -A INPUT -j DROP -i OS_INTERFACE_NAME
```

Block Private Service Connect interface creation

To create Private Service Connect interfaces, users must have the compute.instances.pscInterfaceCreate Identity and Access Management (IAM) permission. This permission is included in the following roles:

Compute Admin (roles/compute.admin)
Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1)

If you want a user to have the permissions that are associated with these roles, while preventing that user from creating Private Service Connect interfaces, you can Create a custom role and grant it to the user. Add the necessary permissions to the role. Omit the compute.instances.pscInterfaceCreate permission.

What's next?

Manage destination overlap in a network that has a Private Service Connect interface connection.