Configure security for Private Service Connect interfaces
This page describes how producer network administrators can manage
security in VPC networks that use
Private Service Connect interfaces.
Because a Private Service Connect interface exists in a consumer
Private Service Connect network, a producer organization does not
control firewall rules that apply directly to the interface. If a producer
organization wants to ensure that consumer workloads cannot initiate traffic to
VMs in the producer network, or that only selected consumer workloads can
initiate traffic, they must define security policies in the guest OS of their
interface's VM.
Block consumer-to-producer ingress
You can use iptables to configure a Private Service Connect
interface to block ingress traffic from a consumer network, but still allow
egress traffic from the producer network. This configuration is illustrated by
figure 1.
Consumer traffic is blocked from ingress
through a Private Service Connect interface, but producer
egress traffic is allowed (click to enlarge).
To configure a Private Service Connect interface to block ingress
traffic from the consumer network but allow egress traffic from the producer
network, do the following:
Ensure that firewall rules are configured to
allow ingress SSH connections
to your Private Service Connect interface's VM.
Block consumer-initiated traffic from ingressing through the
Private Service Connect interface:
sudo iptables -A INPUT -j DROP -i OS_INTERFACE_NAME
Block Private Service Connect interface creation
To create Private Service Connect interfaces, users
must have the compute.instances.pscInterfaceCreate Identity and Access Management (IAM)
permission. This permission is included in the following roles:
If you want a user to have the permissions that are associated with these
roles, while preventing that user from creating
Private Service Connect interfaces, you can
Create a custom role and grant
it to the user. Add the necessary permissions to the role. Omit the
compute.instances.pscInterfaceCreate permission.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Configure security for Private Service Connect interfaces\n=========================================================\n\nThis page describes how producer network administrators can manage\nsecurity in VPC networks that use\nPrivate Service Connect interfaces.\n\nBecause a Private Service Connect interface exists in a consumer\nPrivate Service Connect network, a producer organization does not\ncontrol firewall rules that apply directly to the interface. If a producer\norganization wants to ensure that consumer workloads cannot initiate traffic to\nVMs in the producer network, or that only selected consumer workloads can\ninitiate traffic, they must define security policies in the guest OS of their\ninterface's VM.\n\nBlock consumer-to-producer ingress\n----------------------------------\n\nYou can use `iptables` to configure a Private Service Connect\ninterface to block ingress traffic from a consumer network, but still allow\negress traffic from the producer network. This configuration is illustrated by\nfigure 1.\n[](/static/vpc/images/psc-interfaces/block-consumer-to-producer-ingress.svg) Consumer traffic is blocked from ingress through a Private Service Connect interface, but producer egress traffic is allowed (click to enlarge).\n\nTo configure a Private Service Connect interface to block ingress\ntraffic from the consumer network but allow egress traffic from the producer\nnetwork, do the following:\n\n1. Ensure that firewall rules are configured to\n [allow ingress SSH connections](/firewall/docs/using-firewalls#common-use-cases-allow-ssh)\n to your Private Service Connect interface's VM.\n\n2. [Connect](/compute/docs/connect/standard-ssh#connect_to_vms) to the VM.\n\n3. If the `iptables` command isn't available, install it.\n\n4. Allow consumer reply traffic to ingress into the\n Private Service Connect interface:\n\n ```\n sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -i OS_INTERFACE_NAME\n ```\n\n Replace \u003cvar translate=\"no\"\u003eOS_INTERFACE_NAME\u003c/var\u003e with the\n [guest OS name for your Private Service Connect interface](/vpc/docs/configure-routing-private-service-connect-interfaces#find-os-interface-name).\n5. Block consumer-initiated traffic from ingressing through the\n Private Service Connect interface:\n\n ```\n sudo iptables -A INPUT -j DROP -i OS_INTERFACE_NAME\n ```\n\nBlock Private Service Connect interface creation\n------------------------------------------------\n\nTo create Private Service Connect interfaces, users\nmust have the `compute.instances.pscInterfaceCreate` Identity and Access Management (IAM)\npermission. This permission is included in the following roles:\n\n- [Compute Admin](/compute/docs/access/iam#compute.admin) (`roles/compute.admin`)\n- [Compute Instance Admin (v1)](/iam/docs/understanding-roles#compute.instanceAdmin.v1) (`roles/compute.instanceAdmin.v1`)\n\nIf you want a user to have the permissions that are associated with these\nroles, while preventing that user from creating\nPrivate Service Connect interfaces, you can\n[Create a custom role](/iam/docs/creating-custom-roles#creating) and grant\nit to the user. Add the necessary permissions to the role. Omit the\n`compute.instances.pscInterfaceCreate` permission.\n\nWhat's next?\n------------\n\n- [Manage destination overlap](/vpc/docs/manage-destination-overlap) in a network that has a Private Service Connect interface connection."]]
