Manage security for Private Service Connect consumers

This page describes how service consumers can configure security for consumerorganizations and VPC networks that usePrivate Service Connect.

Organization policies let administrators broadly control whichVPC networks or organizations their projects can connect toby using Private Service Connect endpoints and backends.VPC firewall rules andfirewall policies let networkadministrators control network-level access to Private Service Connectresources. Organization policies and firewall rules are complementary and can beused together.

Roles

To get the permissions that you need to manage organization policies, ask your administrator to grant you theOrganization policy administrator (roles/orgpolicy.policyAdmin) IAM role on the organization. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

To get the permissions that you need to create firewall rules, ask your administrator to grant you theCompute network administrator (roles/compute.networkAdmin) IAM role on the VPC network. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Consumer organization policies

You can useorganization policies withlist constraints to control the deployment ofPrivate Service Connect endpoints or backends. If an endpoint orbackend is blocked by a consumer organization policy, the creation of theresource fails.

For more information, seeConsumer-side organization policies.

Block endpoints and backends from connecting to unauthorized service attachments

Resources: endpoints and backends

gcloud

  1. Create a temporary file called/tmp/policy.yaml to store the newpolicy. Add the following content to the file:

    name:organizations/CONSUMER_ORG/policies/compute.restrictPrivateServiceConnectProducerspec:rules:-values:allowedValues:-under:organizations/PRODUCER_ORG_NUMBER-under:organizations/433637338589

    Replace the following:

    • CONSUMER_ORG: theorganization resource IDof the organization that you want to control endpoint and backendconnections in.
    • PRODUCER_ORG_NUMBER: the numeric organizationresource ID of the producer organization that you want to let endpointsand backends connect to.

    To block endpoints and backends from connecting to service attachmentsthat are owned by Google, remove the following item from theallowedValues section:- under:organizations/433637338589.

    To specify additional organizations that can connect to serviceattachments in your project, include additional entries in theallowedValues section.

    In addition to organizations, you can specify authorized folders andprojects in the following form:

    • under:folders/FOLDER_ID

      TheFOLDER_ID must be the numeric ID.

    • under:projects/PROJECT_ID

      ThePROJECT_ID must be the string ID.

    For example, the following can be used to create an organizationpolicy that blocks endpoints and backends inConsumer-org-1 fromconnecting to service attachments unless the service attachments areassociated with an allowed value or a descendant of an allowed value.The allowed values are the organizationProducer-org-1, the projectProducer-project-1, and the folderProducer-folder-1.

    name:organizations/Consumer-org-1/policies/compute.restrictPrivateServiceConnectProducerspec:rules:-values:allowedValues:-under:organizations/Producer-org-1-under:projects/Producer-project-1-under:folders/Producer-folder-1

  2. Apply the policy.

    gcloud org-policies set-policy /tmp/policy.yaml

  3. View the policy that is in effect.

    gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \    --effective \    --organization=CONSUMER_ORG

Block consumers from deploying endpoints by connection type

Resources: endpoints

gcloud

  1. Create a temporary file called/tmp/policy.yaml to store the newpolicy.

    • To block users in a consumer organization from creating endpoints thatconnect to Google APIs, add the following content to the file:

      name:organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumersspec:rules:-values:allowedValues:-SERVICE_PRODUCERS

    • To block users in a consumer organization from creating endpoints thatconnect to published services, add the following content to the file:

      name:organizations/CONSUMER_ORG/policies/compute.disablePrivateServiceConnectCreationForConsumersspec:rules:-values:allowedValues:-GOOGLE_APIS

    ReplaceCONSUMER_ORG with the name of theconsumer organization for which you want to control endpoint deployment.

  2. Apply the policy.

    gcloud org-policies set-policy /tmp/policy.yaml

  3. View the policy that is in effect.

    gcloud org-policies describe compute.restrictPrivateServiceConnectProducer \    --effective \    --organization=CONSUMER_ORG

Firewall rules

Resources: all

You can useVPC firewall rules orfirewall policies to control accessto Private Service Connect resources. Egress firewall rules canblock or allow access from VM instances to the IP address or subnet of endpointsand backends.

For example, figure 1 describes a configuration where firewall rules controlaccess to the subnet that the Private Service Connect endpoint isconnected to.

Firewall rules control traffic to the endpoint-subnet. Traffic fromvm-1 can reach the endpoint-subnet, while traffic fromvm-2 is blocked (click to enlarge).

  1. The following firewall rule denies all egress traffic to the endpointsubnet:

    gcloud compute firewall-rules create deny-all \    --network=vpc-1 \    --direction=egress \    --action=deny \    --destination-ranges=10.33.0.0/24    --priority=1000

  2. The following higher priority firewall rule allows egress traffic to theendpoint subnet for VMs with theallow-psc network tag:

    gcloud compute firewall-rules create allow-psc \    --network=vpc-1 \    --direction=egress \    --action=allow \    --target-tags=allow-psc \    --destination-ranges=10.33.0.0/24    --priority=100

Use firewall rules to limit access to endpoints or backends

To limit access from VMs to the subnet of an endpoint or backend, do thefollowing.

  1. Create a firewall rule to deny egress traffic to the endpoint or backendsubnet.

    gcloud compute firewall-rules create deny-all \    --network=NETWORK \    --direction=egress \    --action=deny \    --destination-ranges=ENDPOINT_SUBNET_RANGE \    --priority=1000

    Replace the following:

    • NETWORK: the name of the network of your endpointor backend.
    • ENDPOINT_SUBNET_RANGE: the IP CIDR range of theendpoint or backend subnet that you want to control access to.

  2. Create a second firewall rule to allow egress traffic from tagged VMs to theendpoint or backend subnet.

    gcloud compute firewall-rules create allow-psc \    --network=NETWORK \    --direction=egress \    --action=allow \    --target-tags=allow-psc \    --destination-ranges=ENDPOINT_SUBNET_RANGE \    --priority=100

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.