Full Report
If your organization offers managed services to customers, or simply consumes services internally, chances are those services need to be accessed privately, over a VPC. In a Google Cloud environment, customers increasingly turn to Private Service Connect, which creates private and secure connections from your VPCs to Google, third parties, or your own services. And recently, we added PSC interfaces, which allow a service producer to access a consumer’s network by sharing a network interface, while still maintaining the separation of producer and consumer roles. In this blog post, we go into depth about PSC interfaces — how they fit into a PSC environment, and how to use them effectively. Enabling private access with PSCLet’s say that you have a new AI SaaS running in Google Cloud, and your customers require fully private access to the service, without leaving Google Cloud. Traditionally, you would use Private Service Connect endpoints to expose that producer service to your customers running in their own VPCs. That access would happen through a PSC endpoint, a single, private IP address that belongs to their address space, and the traffic would remain entirely within Google Cloud. This is managed service ingress: the traffic flows from the consumer clients to the producer managed service. But for your AI service to operate, you also need to initiate connections to the consumer to retrieve data for model training. This is because customer data often resides in various places — in the customer VPC, in a VPC peered to it, over the internet accessed by Cloud NAT from the consumer VPC, or on-prem accessed by Cloud VPN or Cloud Interconnect from the consumer VPC. This networking pattern is called managed service egress, and exists whenever a managed service needs to initiate connections to its users. This can be for various use cases:Data-processing managed services need to access content in databases hosted by their consumersEvent hubs receive and process event triggers, and initiate egress connections to send events into their consumer VPCsPrivate networking challenging to achieve service egressWith PSC endpoints, traffic is only allowed on ingress — it must be initiated from the consumer. This is intentional; consumers don’t want a producer to access their VPC unless they have explicitly authorized it.One way of achieving service egress is to set up PSC endpoints in reverse, where the service attachment and the load balancer are deployed on the consumer side. This works well at low scale, but is challenging when there are many or frequently changing destinations in the consumer VPC. It also requires more coordination between consumers and producers, which can introduce complexity and friction.Introducing PSC interfacesPSC interfaces are a new mode of PSC designed for private, managed service egress, that enable a producer to access a consumer’s network by sharing a network interface (called a PSC interface), while still maintaining the separation of producer and consumer roles.PSC interfaces are implemented with a cross-organization multi-network interface VM combined with the PSC authorization model. In addition to its local network interface, a producer VM can have one or more PSC interfaces, which actually reside in the consumer VPC. A PSC interface has an IP address from a consumer subnet. (Note: Here, "interface" describes exactly what the PSC interface is on a guest operating system: an explicit networking interface with direct access to another network. It's like plugging an Ethernet cable directly across two organizations' networks to link them together.) With this network interface as the entry point in the consumer VPC, the producer VM can access consumer resources as if they resided locally in the producer VPC. A PSC interface shows up as a regular network interface in the guest OS of the VM, so you benefit from the whole toolbox of powerful OS-level routing options. Because a PSC interface is a network interface, transitivity is natively possible, so the producer can access external destinations using the consumer VPC as a transit. No extra configuration is required. Nor does the consumer need to deploy a load balancer and configure the destinations as its targets. All it needs to create is a network attachment. This resource provides control to the consumer over which producers are allowed to connect to it, and which subnet(s) can be used for the PSC interfaces’ IP addresses. Here’s an example of a network attachment creation: code_block )])]> The output is: code_block )])]> From there, the producer simply creates a VM with a PSC interface that references the network attachment. For example: code_block )])]> Service-to-service communicationPSC interfaces are complementary to PSC endpoints and can be used together in the same VPC. For example, you can use them to enable a third-party analytics service to reach a third-party database that’s owned by a different organization, through the consumer VPC which has a connection to both.Firewall rules are also compatible with PSC interfaces, so the consumer can use them to control what the producer is authorized to access, be it local or remote targets. In short, PSC interfaces are a powerful new addition to Private Service Connect that address many of the common challenges of using PSC endpoints to deliver managed service egress. PSC interfaces are available in public preview today, so don’t hesitate to give them a try!
Analysis Summary
# Best Practices: Managed Service Egress with PSC Interfaces
## Overview
These practices address the security and operational challenges of **Managed Service Egress**. In scenarios where a service provider (Producer) must initiate connections to a client's network (Consumer)—such as for database polling, event triggering, or data retrieval—traditional ingress-only Private Service Connect (PSC) endpoints are insufficient. PSC Interfaces provide a secure, authorized bridge for producers to access consumer VPC resources without exposing the environment to the public internet or requiring complex reverse-load-balancing.
---
## Key Recommendations
### Immediate Actions
1. **Define Access Boundaries:** Identify which specific subnets in the Consumer VPC should be accessible to the Producer and create dedicated subnets for this purpose.
2. **Implement Network Attachments:** As a Consumer, create a `network attachment` resource to explicitly whitelist authorized Producer projects and designate specific subnets for their use.
3. **Audit Existing "Reverse PSC" Setups:** Catalog current reverse-load-balancing configurations to identify candidates for migration to PSC Interfaces to reduce architectural complexity.
### Short-term Improvements (1-3 months)
1. **Adopt Micro-segmentation:** Configure VPC Firewall Rules (or Cloud Firewall policies) targeting the IP addresses or tags associated with the PSC Interface to enforce the Principle of Least Privilege.
2. **Standardize Interface Provisioning:** Automate the creation of Producer VMs with PSC Interfaces using Infrastructure as Code (IaC) to ensure consistent application of security tags and metadata.
### Long-term Strategy (3+ months)
1. **Transition to Transit-Architecture:** Utilize the native transitivity of PSC Interfaces to allow Producers to reach on-premises data (via Interconnect/VPN) or third-party services through the Consumer VPC, centralizing security inspection.
2. **Establish Governance for Multi-SaaS Connectivity:** Develop an internal policy for managing multi-tenant service egress, ensuring that different Producer organizations remain isolated within the Consumer’s network.
---
## Implementation Guidance
### For Small Organizations
- Focus on using PSC Interfaces to replace high-maintenance Cloud NAT or public IP configurations when interacting with SaaS providers.
- Use simple VPC firewall rules to restrict the Producer's interface to only the necessary database or application server IPs.
### For Medium Organizations
- Utilize **Network Attachments** with explicit project allow-lists to prevent unauthorized Google Cloud projects from requesting a connection to your VPC.
- Enable VPC Flow Logs on the subnets used by PSC Interfaces to monitor for lateral movement.
### For Large Enterprises
- Leverage PSC Interfaces for **cross-organization transitivity**. This allows a Producer to access resources not just in the local VPC, but in peered VPCs or on-premises environments connected via Cloud Interconnect.
- Implement **Organizational Policies** to restrict which departments can create PSC network attachments.
---
## Configuration Examples
### 1. Consumer: Create a Network Attachment
This resource grants a specific Producer project permission to connect to a specific subnet.
bash
gcloud compute network-attachments create [ATTACHMENT_NAME] \
--region=[REGION] \
--subnets=[SUBNET_NAME] \
--connection-preference=ACCEPT_LIST \
--producer-accept-list=[PRODUCER_PROJECT_ID]=[CONNECTION_LIMIT]
### 2. Producer: Launch VM with PSC Interface
The producer attaches their VM directly to the consumer's network attachment.
bash
gcloud compute instances create [VM_NAME] \
--zone=[ZONE] \
--network-interface=subnet=[PRODUCER_SUBNET] \
--network-interface=network-attachment=[CONSUMER_NETWORK_ATTACHMENT_URL]
---
## Compliance Alignment
- **NIST SP 800-53:** Supports AC-4 (Information Flow Enforcement) by explicitly authorizing cross-tenant traffic via network attachments.
- **ISO/IEC 27001:** Aligns with A.13.1 (Network Security Management) by maintaining separation between producer and consumer roles while allowing controlled access.
- **CIS Google Cloud Benchmark:** Enhances "Networking" controls by eliminating the need for public IP addresses for service egress.
---
## Common Pitfalls to Avoid
- **Over-Permissive Subnets:** Do not place PSC Interfaces in the same large subnet as sensitive internal applications; use a dedicated, small CIDR block.
- **Ignoring Guest OS Routing:** Since the PSC Interface appears as a standard NIC (`eth1`, etc.), ensure the Producer's guest OS routing table is configured to route traffic destined for the Consumer through the correct interface.
- **Bypassing Firewalls:** Do not assume the connection is safe because it is "private." Always apply VPC-level firewall rules to the traffic emerging from the PSC Interface.
---
## Resources
- **Google Cloud Documentation:** `https://cloud.google.com/vpc/docs/private-service-connect-interfaces`
- **Security Guide:** `https://cloud.google.com/vpc/docs/configure-security-network-attachments`
- **Network Attachments Overview:** `https://cloud.google.com/vpc/docs/about-network-attachments`