Configure security for network attachments

This page describes how consumer network administrators can manage security inVPC networks that use network attachments.

Private Service Connect interfaces are created and managed by aproducer organization, but they are located in a consumer VPCnetwork. For consumer-side security, we recommend firewall rules that are basedon IP address ranges from the consumer VPC network. This approachlets the consumer control trafficthat comes from Private Service Connect interfaces withoutrelying on the producer'snetwork tags.

Using network tags with firewall rules is supported, but not recommended,because the consumer does not control those tags.

Limit producer-to-consumer ingress

Consider the example configuration in figure 1, where the consumer wantsto grant the producer access toproducer-ingress-subnet and block theproducer from accessingrestricted-subnet.

Figure 1. Firewall rules help ensure that traffic from the producer subnet can only reach VMs in theattachment-subnet andproducer-ingress-subnet subnets.

The following firewall rules allow limited producer-to-consumer ingress:

  1. A low-priority rule denies all egress traffic from the IP address range ofthe network attachment's subnet,attachment-subnet.

    gcloud compute firewall-rules create deny-all-egress \    --network=consumer-vpc \    --action=DENY \    --rules=ALL \    --direction=EGRESS \    --priority=65534 \    --source-ranges="10.0.1.48/28" \    --destination-ranges="0.0.0.0/0"

  2. A higher priority rule allows egress from the IP address range ofattachment-subnet to destinations in the address range ofproducer-ingress-subnet.

    gcloud compute firewall-rules create allow-limited-egress \    --network=consumer-vpc \    --action=ALLOW \    --rules=ALL \    --direction=EGRESS \    --priority=1000 \    --source-ranges="10.0.1.48/28" \    --destination-ranges="10.10.2.0/24"

  3. An allow ingress rule overrides the implied deny ingress rule fortraffic fromattachment-subnet.

    gcloud compute firewall-rules create allow-ingress \--network=consumer-vpc \--action=ALLOW \--rules=ALL \--direction=INGRESS \--priority=1000 \--source-ranges="10.0.1.48/28"

Allow consumer-to-producer egress

If you want to let a consumer network initiate traffic to a producer network,you can use ingress firewall rules.

Consider the example configuration in figure 2, where the consumer wants to letsubnet-1 access the producer network through thePrivate Service Connect connection.

Figure 2. An allow ingress firewall rule letssubnet-1 access the producer network through a Private Service Connect connection, whilesubnet-2 is blocked by the implied deny ingress rule (click to enlarge).

The following firewall rule ensures that onlysubnet-1can access the producer network through thePrivate Service Connect connection:

gcloud compute firewall-rules create vm-subnet-allow-ingress \    --network=consumer-vpc \    --action=ALLOW \    --rules=ALL \    --direction=INGRESS \    --priority=1000 \    --source-ranges="10.10.2.0/24" \    --destination-ranges="10.0.1.48/28"

Configure producer-to-producer security

You can use VPC firewall rules for security in scenarios where a producer application needs to access another producer application.

Consider a scenario where a consumer uses two different third-party managedservices that are hosted in different VPC networks. One serviceis a database, and the other service provides analytics. The analytics servicemust connect to the database service to analyze its data. One approach is forthe services to create a direct connection. However, if the two third-party services are directly connected, the consumerloses control and visibility over their data.

A more secure approach is to use Private Service Connectinterfaces,Private Service Connect endpoints,andVPC firewall rules, as shown infigure 3.

Figure 3. Traffic from the analytics application that's bound for the database application passes through the consumer VPC network. VPC firewall rules limit egress traffic based on source IP address range (click to enlarge).

In this approach, the consumer network connects to the database applicationthrough an endpoint in one subnet and connects to the analytics applicationthrough a network attachment in a different subnet. Traffic from the analyticsapplication can reach the database application by passing throughthe Private Service Connect interface and network attachment,transiting the consumer network, and egressing through the endpoint inendpoint-subnet.

In the consumer VPC network, a VPC firewall ruledenies all egress traffic fromattachment-subnet. Another firewall rule thathas a higher priority allows egress traffic fromattachment-subnet andconsumer-private-subnet to the endpoint. Consequently, traffic from theanalytics application can reach the database application's VPCnetwork, and this traffic must flow through the endpoint in the consumer.

The following firewall rules create the configuration described in figure 4.

  1. A firewall rule blocks all egress traffic fromattachment-subnet:

    gcloud compute firewall-rules create consumer-deny-all-egress \    --network=consumer-vpc \    --action=DENY \    --rules=all \    --direction=EGRESS \    --priority=65534 \    --source-ranges="10.0.1.48/28" \    --destination-ranges="0.0.0.0/0"

  2. A firewall rule allows egress TCP traffic on port 80 fromattachment-subnet andconsumer-private-subnet to the endpoint:

    gcloud compute firewall-rules create consumer-allow-80-egress \    --network=intf-consumer-vpc \    --allow=tcp:80 \    --direction=EGRESS \    --source-ranges="10.0.1.48/28,10.10.2.0/24" \    --destination-ranges="10.0.1.66/32" \    --priority=1000

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.