Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure Private Service Connect Endpoints

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Private Service Connect (PSC) endpoints are configured for your Vertex AI notebook instances. PSC enables your Google Cloud (GCP) consumer projects and Virtual Private Cloud (VPC) networks to connect to services in other VPC networks. This is achieved through a forwarding rule that deploys an endpoint, ensuring traffic never touches the public internet. This setup significantly enhances security and eliminates the complexities of managing public connections. PSC endpoints are internal IP addresses within a consumer VPC network, providing secure and private access to Google APIs and services. These endpoints are established via forwarding rules linked to a service attachment. PSC service attachments are configurations that point to a producer's load balancer, allowing clients in a consumer VPC network to access that load balancer privately and securely.

Security

Private Service Connect offers a secure, performant, and scalable approach to accessing Google Cloud managed services privately from within your VPC network. It strengthens security posture, provides more granular network control, and can contribute to improved application performance and cost management.

Audit

To determine if Private Service Connect endpoints are configured for your Vertex AI instances, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Vertex AI console available at https://console.cloud.google.com/vertex-ai.

04 In the left navigation panel, under Notebooks, choose Workbench, and select the Instances tab.

05 Choose View: Instances to list the Vertex AI notebook instances created for the selected GCP project.

01 Click on the name (link) of the notebook instance that you want to examine.

06 Select the System tab and copy the name of the consumer VPC network associated with the instance, listed next to Subnetwork.

07 Navigate to Network services console available at https://console.cloud.google.com/net-services.

08 In the left navigation panel, choose Private Service Connect and select the Connected endpoints tab to access the Private Service Connect endpoints configured for the selected GCP project.

09 In the Endpoints section, click inside the Filter box, select Status, type Accepted, and press Enter, choose Network, paste the name of your VPC network copied at step no. 7, and press Enter. This will list only the endpoints configured for the selected VPC network. If no endpoints are returned, there are no Private Service Connect endpoints configured for the selected Vertex AI resource.

10 Repeat steps no. 6 – 10 for each Vertex AI instance created for the selected project.

11 Repeat steps no. 2 – 11 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-main-project-123123
cc-data-project-112233

03 Run workbench instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter, to describe the name of each Vertex AI notebook instance created for the selected project: 

gcloud workbench instances list
	--project cc-main-project-123123
	--location=us-central1-a
	--format="(NAME)"

04 The command output should return the requested notebook instance names: 

NAME: cc-vertex-ai-notebook-instance
NAME: cc-development-notebook-instance

05 Run workbench instances describe command (Windows/macOS/Linux) with the name of the Vertex AI notebook instance that you want to examine as the identifier parameter and custom output filters to describe the identifier of the VPC network associated with the notebook instance: 

gcloud workbench instances describe cc-vertex-ai-notebook-instance
	--location=us-central1-a
	--format="value(gceSetup.networkInterfaces[].network)"

06 The command output should return the requested resource identifier (URL): 

https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/global/networks/consumer-vpc-network

07 Run compute forwarding-rules list command (Windows/macOS/Linux) with custom filtering to list the Private Service Connect (PSC) endpoints configured for the VPC network associated with your Vertex AI instance (i.e., consumer VPC network): 

gcloud compute forwarding-rules list
	--project cc-main-project-123123
	--filter "target~serviceAttachments"
	--format="json"

08 The command output should return an array with configured PSC endpoints: 

[]

If the compute forwarding-rules list command output returns an empty array, i.e., [], as shown in the example above, there are no Private Service Connect (PSC) endpoints configured for the consumer VPC network. If the command output returns an array with one or more endpoints, check the "network" attribute value to determine if the selected consumer VPC network, identified in step no. 6, is associated with a PSC endpoint.

09 Repeat steps no. 5 - 8 for each Vertex AI instance created for the selected project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To create and configure Private Service Connect (PSC) endpoints for privately accessing Vertex AI resources in another VPC network, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the top navigation bar.

03 Navigate to Network services console available at https://console.cloud.google.com/net-services and choose Private Service Connect from the left navigation panel.

04 Before you can create and configure your Private Service Connect (PSC) endpoint, you must obtain the service attachment URI for Private Service Connect. On the Private Service Connect page, select the Published services tab, click inside the Filter box, select Network, type the name of your producer VPC network, and press Enter. Click on the name (link) of the listed service, select the Details tab, and copy the Service attachment attribute value (i.e., service attachment URI).

05 Navigate back to the Private Service Connect page, select the Connected endpoints tab, and choose Connect endpoint to set up a new Private Service Connect (PSC) endpoint for your consumer VPC network.

06 On the Connect endpoint setup page, perform the following actions:

  1. For Target, choose Published service.
  2. Paste the service attachment URI copied in step no. 4 into the Target service box.
  3. Enter a unique name for your new PSC endpoint in the Endpoint name box.
  4. For Network, choose your consumer VPC network.
  5. For Subnetwork, select the VPC subnet that you want to use with Private Service Connect.
  6. Click inside the IP address box, choose Create IP address, and reserve a new static internal IPv4 address.
  7. (Optional) To make the new endpoint available from any region, select the Enable global access checkbox.
  8. Choose Service directory and select the Service Directory namespace that you want to use from the Namespace dropdown list. If you specify a namespace that doesn't exist, the namespace is created. If you omit the Service Directory namespace, the default namespace of goog-psc-default is used.
  9. Choose Add endpoint to deploy your new Private Service Connect (PSC) endpoint. Once deployed successfully, the PSC endpoint status will change to Accepted.

07 If required, repeat steps no. 4 – 6 to create and configure new Private Service Connect endpoints.

08 Repeat steps no. 2 – 7 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Before you can create and configure your Private Service Connect (PSC) endpoint, you must obtain the service attachment URI for Private Service Connect. Run compute service-attachments list command (Windows/macOS/Linux) to describe the URI of each service attachment available within the selected GCP project: 

gcloud compute service-attachments list
	--uri
	--project cc-main-project-123123

02 The command output should return the full URI of each service attachment available for the project: 

https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/serviceAttachments/cc-psc-service-attachment

03 To reserve the static internal IPv4 address required for the PSC endpoint, run compute addresses create command (Windows/macOS/Linux): 

gcloud compute addresses create cc-service-connect-ipv4
	--project cc-main-project-123123
	--region=us-central1
	--subnet=cc-psc-subnet
	--addresses 10.2.0.20

04 The command output should return the internal IPv4 address URI: 

Created [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/addresses/cc-service-connect-ipv4].

05 Run compute forwarding-rules create command (Windows/macOS/Linux) to create your new Private Service Connect (PSC) endpoint. For --target-service-attachment parameter, use the service attachment URI returned in step no. 2 with the following format: projects/\/regions/\/serviceAttachments/\: 

gcloud compute forwarding-rules create cc-psc-endpoint-001
	--project cc-main-project-123123
	--region=us-central1
	--network=cc-consumer-vpc
	--address=cc-service-connect-ipv4
	--target-service-attachment=projects/cc-main-project-123123/regions/us-central1/serviceAttachments/cc-psc-service-attachment

06 The command output should return the Private Service Connect (PSC) endpoint URI: 

Created [https://www.googleapis.com/compute/v1/projects/cc-main-project-123123/regions/us-central1/forwardingRules/cc-psc-endpoint-001].

07 If required, repeat steps no. 1 – 6 to create and configure new Private Service Connect endpoints.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date Jul 29, 2025

Related VertexAI rules