Manage security for Private Service Connect consumers
This page describes how service consumers can configure security for consumer organizations and VPC networks that use Private Service Connect.
Organization policies let administrators broadly control which VPC networks or organizations their projects can connect to by using Private Service Connect endpoints and backends. VPC firewall rules and firewall policies let network administrators control network-level access to Private Service Connect resources. Organization policies and firewall rules are complementary and can be used together.
Roles
To get the permissions that you need to manage organization policies,
ask your administrator to grant you the
Organization policy administrator (roles/orgpolicy.policyAdmin
) IAM role on the organization.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
To get the permissions that you need to create firewall rules,
ask your administrator to grant you the
Compute network administrator (roles/compute.networkAdmin
) IAM role on the VPC network.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Consumer organization policies
You can use organization policies with list constraints to control the deployment of Private Service Connect endpoints or backends. If an endpoint or backend is blocked by a consumer organization policy, the creation of the resource fails.
For more information, see Consumer-side organization policies.
Block endpoints and backends from connecting to unauthorized service attachments
Resources: endpoints and backends
gcloud
Create a temporary file called
/tmp/policy.yaml
to store the new policy. Add the following content to the file:name: organizations/CONSUMER_ORG/policies/compute.restrictPrivateServiceConnectProducer spec: rules: - values: allowedValues: - under:organizations/PRODUCER_ORG_NUMBER - under:organizations/433637338589
Replace the following:
CONSUMER_ORG
: the organization resource ID of the organization that you want to control endpoint and backend connections in.PRODUCER_ORG_NUMBER
: the numeric organization resource ID of the producer organization that you want to let endpoints and backends connect to.
To block endpoints and backends from connecting to service attachments that are owned by Google, remove the following item from the
allowedValues
section:- under:organizations/433637338589
.To specify additional organizations that can connect to service attachments in your project, include additional entries in the
allowedValues
section.In addition to organizations, you can specify authorized folders and projects in the following form:
under:folders/FOLDER_ID
The
FOLDER_ID
must be the numeric ID.under:projects/PROJECT_ID
The
PROJECT_ID
must be the string ID.
For example, the following can be used to create an organization policy that blocks endpoints and backends in
Consumer-org-1
from connecting to service attachments unless the service attachments are associated with an allowed value or a descendant of an allowed value. The allowed values are the organizationProducer-org-1
, the projectProducer-project-1
, and the folderProducer-folder-1
.name: organizations/Consumer-org-1/policies/compute.restrictPrivateServiceConnectProducer spec: rules: - values: allowedValues: - under:organizations/Producer-org-1 - under:projects/Producer-project-1 - under:folders/Producer-folder-1
Apply the policy.
gcloud org-policies set-policy /tmp/policy.yaml
View the policy that is in effect.
gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \ --effective \ --organization=CONSUMER_ORG
Block consumers from deploying endpoints by connection type
Resources: endpoints
gcloud
Create a temporary file called
/tmp/policy.yaml
to store the new policy.To block users in a consumer organization from creating endpoints that connect to Google APIs, add the following content to the file:
name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers spec: rules: - values: allowedValues: - SERVICE_PRODUCERS
To block users in a consumer organization from creating endpoints that connect to published services, add the following content to the file:
name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers spec: rules: - values: allowedValues: - GOOGLE_APIS
Replace
CONSUMER_ORG
with the name of the consumer organization for which you want to control endpoint deployment.Apply the policy.
gcloud org-policies set-policy /tmp/policy.yaml
View the policy that is in effect.
gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \ --effective \ --organization=CONSUMER_ORG
Firewall rules
Resources: all
You can use VPC firewall rules or firewall policies to control access to Private Service Connect resources. Egress firewall rules can block or allow access from VM instances to the IP address or subnet of endpoints and backends.
For example, figure 1 describes a configuration where firewall rules control access to the subnet that the Private Service Connect endpoint is connected to.
The following firewall rule denies all egress traffic to the endpoint subnet:
gcloud compute firewall-rules create deny-all \ --network=vpc-1 \ --direction=egress \ --action=deny \ --destination-ranges=10.33.0.0/24 --priority=1000
The following higher priority firewall rule allows egress traffic to the endpoint subnet for VMs with the
allow-psc
network tag:gcloud compute firewall-rules create allow-psc \ --network=vpc-1 \ --direction=egress \ --action=allow \ --target-tags=allow-psc \ --destination-ranges=10.33.0.0/24 --priority=100
Use firewall rules to limit access to endpoints or backends
To limit access from VMs to the subnet of an endpoint or backend, do the following.
Create a firewall rule to deny egress traffic to the endpoint or backend subnet.
gcloud compute firewall-rules create deny-all \ --network=NETWORK \ --direction=egress \ --action=deny \ --destination-ranges=ENDPOINT_SUBNET_RANGE \ --priority=1000
Replace the following:
NETWORK
: the name of the network of your endpoint or backend.ENDPOINT_SUBNET_RANGE
: the IP CIDR range of the endpoint or backend subnet that you want to control access to.
Create a second firewall rule to allow egress traffic from tagged VMs to the endpoint or backend subnet.
gcloud compute firewall-rules create allow-psc \ --network=NETWORK \ --direction=egress \ --action=allow \ --target-tags=allow-psc \ --destination-ranges=ENDPOINT_SUBNET_RANGE \ --priority=100