Configure security for Private Service Connect interfaces
This page describes how producer network administrators can manage security in VPC networks that use Private Service Connect interfaces.
Because a Private Service Connect interface exists in a consumer Private Service Connect network, a producer organization does not control firewall rules that apply directly to the interface. If a producer organization wants to ensure that consumer workloads cannot initiate traffic to VMs in the producer network, or that only selected consumer workloads can initiate traffic, they must define security policies in the guest OS of their interface's VM.
Block consumer-to-producer ingress
You can use iptables
to configure a Private Service Connect
interface to block ingress traffic from a consumer network, but still allow
egress traffic from the producer network. This configuration is illustrated by
figure 1.
To configure a Private Service Connect interface to block ingress traffic from the consumer network but allow egress traffic from the producer network, do the following:
Ensure that firewall rules are configured to allow ingress SSH connections to your Private Service Connect interface's VM.
If the
iptables
command isn't available, install it.Allow consumer reply traffic to ingress into the Private Service Connect interface:
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -i OS_INTERFACE_NAME
Replace
OS_INTERFACE_NAME
with the guest OS name for your Private Service Connect interface, for example,ens5
.Block consumer-initiated traffic from ingressing through the Private Service Connect interface:
sudo iptables -A INPUT -j DROP -i OS_INTERFACE_NAME
Block Private Service Connect interface creation
To create Private Service Connect interfaces, users
must have the compute.instances.pscInterfaceCreate
Identity and Access Management (IAM)
permission. This permission is included in the following roles:
- Compute Admin (
roles/compute.admin
) - Compute Instance Admin (v1) (
roles/compute.instanceAdmin.v1
)
If you want a user to have the permissions that are associated with these
roles, while preventing that user from creating
Private Service Connect interfaces, you can
Create a custom role and grant
it to the user. Add the necessary permissions to the role. Omit the
compute.instances.pscInterfaceCreate
permission.
What's next?
- Manage destination overlap in a network that has a Private Service Connect interface connection.