Manage security for Private Service Connect consumers

This page describes how service consumers can configure security for consumer organizations and VPC networks that use Private Service Connect.

Organization policies let administrators broadly control which VPC networks or organizations their projects can connect to by using Private Service Connect endpoints and backends. VPC firewall rules and firewall policies let network administrators control network-level access to Private Service Connect resources. Organization policies and firewall rules are complementary and can be used together.

Roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you the Organization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

To get the permissions that you need to create firewall rules, ask your administrator to grant you the Compute network administrator (roles/compute.networkAdmin) IAM role on the VPC network. For more information about granting roles, see Manage access.

You might also be able to get the required permissions through custom roles or other predefined roles.

Consumer organization policies

You can use organization policies with list constraints to control the deployment of Private Service Connect endpoints or backends. If an endpoint or backend is blocked by a consumer organization policy, the creation of the resource fails.

For more information, see Consumer-side organization policies.

Block endpoints and backends from connecting to unauthorized service attachments

gcloud

  1. Create a temporary file called /tmp/policy.yaml to store the new policy. Add the following content to the file:

    name: organizations/CONSUMER_ORG/policies/compute.restrictPrivateServiceConnectProducer
spec:
  rules:
    - values:
        allowedValues:
        - under:organizations/PRODUCER_ORG_NUMBER
        - under:organizations/43363733858

    Replace the following:

    • CONSUMER_ORG: the organization resource ID of the organization that you want to control endpoint and backend connections in.
    • PRODUCER_ORG_NUMBER: the numeric organization resource ID of the producer organization that you want to let endpoints and backends connect to.

    To block endpoints and backends from connecting to service attachments that are owned by Google, remove the following item from the allowedValues section: - under:organizations/433637338589.

    To specify additional organizations that can connect to service attachments in your project, include additional entries in the allowedValues section.

    In addition to organizations, you can specify authorized folders and projects in the following form:

    • under:folders/FOLDER_ID

      The FOLDER_ID must be the numeric ID.

    • under:projects/PROJECT_ID

      The PROJECT_ID must be the string ID.

    For example, the following can be used to create an organization policy that blocks endpoints and backends in Consumer-org-1 from connecting to service attachments unless the service attachments are associated with an allowed value or a descendant of an allowed value. The allowed values are the organization Producer-org-1, the project Producer-project-1, and the folder Producer-folder-1.

    name: organizations/Consumer-org-1/policies/compute.restrictPrivateServiceConnectProducer
spec:
    rules:
      - values:
          allowedValues:
          - under:organizations/Producer-org-1
          - under:projects/Producer-project-1
          - under:folders/Producer-folder-1

  2. Apply the policy.

    gcloud org-policies set-policy /tmp/policy.yaml

  3. View the policy that is in effect.

    gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \
    --effective \
    --organization=CONSUMER_ORG

Block consumers from deploying endpoints by connection type

gcloud

  1. Create a temporary file called /tmp/policy.yaml to store the new policy.

    • To block users in a consumer organization from creating endpoints that connect to Google APIs, add the following content to the file:

      name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers
spec:
  rules:
    - values:
        allowedValues:
        - SERVICE_PRODUCERS

    • To block users in a consumer organization from creating endpoints that connect to published services, add the following content to the file:

      name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers
spec:
  rules:
    - values:
        allowedValues:
        - GOOGLE_APIS

    Replace CONSUMER_ORG with the name of the consumer organization for which you want to control endpoint deployment.

  2. Apply the policy.

    gcloud org-policies set-policy /tmp/policy.yaml

  3. View the policy that is in effect.

    gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \
    --effective \
    --organization=CONSUMER_ORG

Firewall rules

You can use VPC firewall rules or firewall policies to control access to Private Service Connect resources. Egress firewall rules can block or allow access from VM instances to the IP address or subnet of endpoints and backends.

For example, figure 1 describes a configuration where firewall rules control access to the subnet that the Private Service Connect endpoint is connected to.

Figure 1. Firewall rules control traffic to endpoint-subnet. Traffic from vm-1 can reach endpoint-subnet, while traffic from vm-2 is blocked.

  1. The following firewall rule denies all egress traffic to the endpoint subnet:

    gcloud compute firewall-rules create deny-all \
    --network=vpc-1 \
    --direction=egress \
    --action=deny \
    --destination-ranges=10.33.0.0/24
    --priority=1000

  2. The following higher priority firewall rule allows egress traffic to the endpoint subnet for VMs with the allow-psc network tag:

    gcloud compute firewall-rules create allow-psc \
    --network=vpc-1 \
    --direction=egress \
    --action=allow \
    --target-tags=allow-psc \
    --destination-ranges=10.33.0.0/24
    --priority=100

Use firewall rules to limit access to endpoints or backends

To limit access from VMs to the subnet of an endpoint or backend, do the following.

  1. Create a firewall rule to deny egress traffic to the endpoint or backend subnet.

    gcloud compute firewall-rules create deny-all \
    --network=NETWORK \
    --direction=egress \
    --action=deny \
    --destination-ranges=ENDPOINT_SUBNET_RANGE \
    --priority=1000

    Replace the following:

    • NETWORK: the name of the network of your endpoint or backend.
    • ENDPOINT_SUBNET_RANGE: the IP CIDR range of the endpoint or backend subnet that you want to control access to.

  2. Create a second firewall rule to allow egress traffic from tagged VMs to the endpoint or backend subnet.

    gcloud compute firewall-rules create allow-psc \
    --network=NETWORK \
    --direction=egress \
    --action=allow \
    --target-tags=allow-psc \
    --destination-ranges=ENDPOINT_SUBNET_RANGE \
    --priority=100