Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Private Service Connect Endpoints

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Private Service Connect (PSC) endpoints are configured for your Virtual Private Cloud (VPC) networks. Private Service Connect creates a secure, private tunnel between your VPC network and Google's services (or your own services in another VPC) so traffic never touches the public internet. This enhances security and avoids complexities of managing public connections. PSC endpoints are internal IP addresses within a consumer VPC network that allow secure and private access to Google APIs and services. Endpoints are established through forwarding rules linked to a service attachment. PSC service attachments are configurations that point to a producer's load balancer. This allows clients in a consumer VPC network to access that load balancer privately and securely.

Security
Operational
excellence

Private Service Connect offers a secure, performant, and scalable approach to accessing Google Cloud managed services privately from within your VPC network. It strengthens security posture, provides more granular network control, and can contribute to improved application performance and cost management.


Audit

To determine if Private Service Connect endpoints are configured for your VPC networks, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to VPC network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the VPC networks created for the selected GCP project.

05 Copy the name of the consumer VPC network that you want to examine, listed in the Name column.

06 Navigate to Network services console available at https://console.cloud.google.com/net-services.

07 In the navigation panel, choose Private Service Connect and select the CONNECTED ENDPOINTS tab to access the Private Service Connect endpoints configured for the selected project.

08 In the Endpoints section, click inside the Filter box, select Status and Accepted, choose Network, paste the name of your VPC network copied at step no. 5, and press Enter to list only the endpoints configured for the selected VPC network. If no endpoints are returned, there are no Private Service Connect endpoints configured for the selected VPC network.

09 Repeat steps no. 5 – 8 for each consumer VPC network created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-main-project-123123
cc-data-project-112233

03 Run compute networks list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each VPC network created within the selected project:

gcloud compute networks list
  --project cc-main-project-123123
  --format="table(name)"

04 The command output should return the names of the VPC networks created for the specified project:

NAME
tm-consumer-vpc
tm-main-vpc-network
tm-producer-vpc
tm-project5-vpc

05 Run compute forwarding-rules list command (Windows/macOS/Linux) with custom filtering to list the Private Service Connect (PSC) endpoints configured for your consumer VPC networks:

gcloud compute forwarding-rules list 
  --project cc-main-project-123123 
  --filter "target~serviceAttachments" 
  --format=json

06 The command output should return an array with configured PSC endpoints:

[]

If the compute forwarding-rules list command output returns an empty array, i.e. [], as shown in the example above, there are no Private Service Connect (PSC) endpoints configured for the selected VPC network. If the command output returns an array with one or more endpoints, check the "network" attribute value to determine if the selected consumer VPC network, identified at step no. 4, is associated with a PSC endpoint.

07 Repeat steps no. 5 and 6 for each consumer VPC network created for the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To create and configure Private Service Connect (PSC) endpoints for privately accessing services in another VPC network, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Network services console available at https://console.cloud.google.com/net-services and choose Private Service Connect from the navigation panel.

04 Before you can create and configure your Private Service Connect (PSC) endpoint, you must obtain the service attachment URI for Private Service Connect. On the Private Service Connect page, select the PUBLISHED SERVICES tab, click inside the Filter box, select Network, type the name of your producer VPC network, and press Enter. Click on the name (link) of the listed service, select the DETAILS tab, and copy the Service attachment attribute value (i.e. service attachment URI).

05 Navigate back to the Private Service Connect page, select the CONNECTED ENDPOINTS tab, and choose CONNECT ENDPOINT to set up a new Private Service Connect (PSC) endpoint for your consumer VPC network.

06 On the Connect endpoint setup page, perform the following actions:

  1. For Target choose Published service.
  2. Paste the service attachment URI copied at step no. 4 in the Target service box.
  3. Enter a unique name for your new PSC endpoint in the Endpoint name box.
  4. For Network, choose your consumer VPC network.
  5. For Subnetwork, select the VPC subnet that you want to use with Private Service Connect.
  6. Click inside the IP address box, choose CREATE IP ADDRESS and reserve a new static internal IPv4 address.
  7. (Optional) To make the new endpoint available from any region, select the Enable global access checkbox.
  8. Select the Service Directory namespace that you want to use from the Namespace dropdown list or choose CREATE NAMESPACE to create a new one. If you specify a namespace that doesn't exist, the namespace is created. If you omit the Service Directory namespace, the default namespace of goog-psc-default is used.
  9. Choose ADD ENDPOINT to deploy your new Private Service Connect (PSC) endpoint. Once deployed successfully, the PSC endpoint status will change to Accepted.

07 If required, repeat steps no. 4 – 6 to create and configure new Private Service Connect endpoints.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Before you can create and configure your Private Service Connect (PSC) endpoint, you must obtain the service attachment URI for Private Service Connect. Run compute service-attachments list command (Windows/macOS/Linux) to list the URI of each service attachment available within the selected GCP project:

gcloud compute service-attachments list 
  --uri 
  --project cc-main-project-123123

02 The command output should return the full URI of each service attachment available for the project:

https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/serviceAttachments/tm-psc-service-attachment

03 To reserve the static internal IPv4 address required for the PSC endpoint, run compute addresses create command (Windows/macOS/Linux):

gcloud compute addresses create tm-service-connect-ipv4 
  --project cc-main-project-123123
  --region=us-central1 
  --subnet=tm-psc-subnet 
  --addresses 10.2.0.10

04 The command output should return the internal IPv4 address URI:

Created [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/addresses/tm-service-connect-ipv4].

05 Run compute forwarding-rules create command (Windows/macOS/Linux) to create your new Private Service Connect (PSC) endpoint. For --target-service-attachment parameter, use the service attachment URI returned at step no. 2 with the following format: projects/SERVICE-PROJECT-NAME/regions/REGION/serviceAttachments/SERVICE-ATTACHMENT-NAME:

gcloud compute forwarding-rules create tm-psc-endpoint-001 
  --project cc-main-project-123123
  --region=us-central1 
  --network=tm-consumer-vpc  
  --address=tm-service-connect-ipv4 
  --target-service-attachment=projects/cc-main-project-123123/regions/us-central1/serviceAttachments/tm-psc-service-attachment

06 The command output should return the Private Service Connect (PSC) endpoint URI:

Created [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/forwardingRules/tm-psc-endpoint-001].

07 If required, repeat steps no. 1 – 6 to create and configure new Private Service Connect endpoints.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date May 6, 2024