Manage security for Private Service Connect consumers (original) (raw)

This page describes how service consumers can configure security for consumer organizations and VPC networks that use Private Service Connect.

Organization policies let administrators broadly control which VPC networks or organizations their projects can connect to by using Private Service Connect endpoints and backends.VPC firewall rules and firewall policies let network administrators control network-level access to Private Service Connect resources. Organization policies and firewall rules are complementary and can be used together.

Roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you theOrganization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

To get the permissions that you need to create firewall rules, ask your administrator to grant you theCompute network administrator (roles/compute.networkAdmin) IAM role on the VPC network. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Consumer organization policies

You can use organization policies withlist constraints to control the deployment of Private Service Connect endpoints or backends. If an endpoint or backend is blocked by a consumer organization policy, the creation of the resource fails.

For more information, seeConsumer-side organization policies.

Block endpoints and backends from connecting to unauthorized service attachments

Resources: endpoints and backends

gcloud

1. Create a temporary file called /tmp/policy.yaml to store the new policy. Add the following content to the file:

name: organizations/CONSUMER_ORG/policies/compute.restrictPrivateServiceConnectProducer  
spec:  
  rules:  
    - values:  
        allowedValues:  
        - under:organizations/PRODUCER_ORG_NUMBER  
        - under:organizations/433637338589  

Replace the following:

• CONSUMER_ORG: theorganization resource IDof the organization that you want to control endpoint and backend connections in.
• PRODUCER_ORG_NUMBER: the numeric organization resource ID of the producer organization that you want to let endpoints and backends connect to.
  To block endpoints and backends from connecting to service attachments that are owned by Google, remove the following item from theallowedValues section: - under:organizations/433637338589.
  To specify additional organizations that can connect to service attachments in your project, include additional entries in theallowedValues section.
  In addition to organizations, you can specify authorized folders and projects in the following form:
• under:folders/FOLDER_ID
  The FOLDER_ID must be the numeric ID.
• under:projects/PROJECT_ID
  The PROJECT_ID must be the string ID.
  For example, the following can be used to create an organization policy that blocks endpoints and backends in Consumer-org-1 from connecting to service attachments unless the service attachments are associated with an allowed value or a descendant of an allowed value. The allowed values are the organization Producer-org-1, the projectProducer-project-1, and the folder Producer-folder-1.

name: organizations/Consumer-org-1/policies/compute.restrictPrivateServiceConnectProducer  
spec:  
    rules:  
      - values:  
          allowedValues:  
          - under:organizations/Producer-org-1  
          - under:projects/Producer-project-1  
          - under:folders/Producer-folder-1  

1. Apply the policy.
   gcloud org-policies set-policy /tmp/policy.yaml
2. View the policy that is in effect.
   gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \
   --effective \
   --organization=CONSUMER_ORG

Block consumers from deploying endpoints by connection type

Resources: endpoints

gcloud

1. Create a temporary file called /tmp/policy.yaml to store the new policy.
   • To block users in a consumer organization from creating endpoints that connect to Google APIs, add the following content to the file:

   name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers  
   spec:  
     rules:  
       - values:  
           allowedValues:  
           - SERVICE_PRODUCERS  

   • To block users in a consumer organization from creating endpoints that connect to published services, add the following content to the file:

   name: organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumers  
   spec:  
     rules:  
       - values:  
           allowedValues:  
           - GOOGLE_APIS  

Replace CONSUMER_ORG with the name of the consumer organization for which you want to control endpoint deployment. 2. Apply the policy.
gcloud org-policies set-policy /tmp/policy.yaml 3. View the policy that is in effect.
gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \
--effective \
--organization=CONSUMER_ORG

Firewall rules

Resources: all

You can use VPC firewall rules orfirewall policies to control access to Private Service Connect resources. Egress firewall rules can block or allow access from VM instances to the IP address or subnet of endpoints and backends.

For example, figure 1 describes a configuration where firewall rules control access to the subnet that the Private Service Connect endpoint is connected to.

Firewall rules control traffic to the endpoint-subnet. Traffic from vm-1 can reach the endpoint-subnet, while traffic from vm-2 is blocked (click to enlarge).

1. The following firewall rule denies all egress traffic to the endpoint subnet:
   gcloud compute firewall-rules create deny-all \
   --network=vpc-1 \
   --direction=egress \
   --action=deny \
   --destination-ranges=10.33.0.0/24
   --priority=1000
2. The following higher priority firewall rule allows egress traffic to the endpoint subnet for VMs with the allow-psc network tag:
   gcloud compute firewall-rules create allow-psc \
   --network=vpc-1 \
   --direction=egress \
   --action=allow \
   --target-tags=allow-psc \
   --destination-ranges=10.33.0.0/24
   --priority=100

Use firewall rules to limit access to endpoints or backends

To limit access from VMs to the subnet of an endpoint or backend, do the following.

1. Create a firewall rule to deny egress traffic to the endpoint or backend subnet.
   gcloud compute firewall-rules create deny-all \
   --network=NETWORK \
   --direction=egress \
   --action=deny \
   --destination-ranges=ENDPOINT_SUBNET_RANGE \
   --priority=1000
   Replace the following:
   • NETWORK: the name of the network of your endpoint or backend.
   • ENDPOINT_SUBNET_RANGE: the IP CIDR range of the endpoint or backend subnet that you want to control access to.
2. Create a second firewall rule to allow egress traffic from tagged VMs to the endpoint or backend subnet.
   gcloud compute firewall-rules create allow-psc \
   --network=NETWORK \
   --direction=egress \
   --action=allow \
   --target-tags=allow-psc \
   --destination-ranges=ENDPOINT_SUBNET_RANGE \
   --priority=100