Skip to main content

🛡️ Google Private Service Connect is not used for access to Google APIs🟢⚪

  • Contextual name: 🛡️ Private Service Connect is not used for access to Google APIs🟢⚪
  • ID: /ce/ca/google/vpc/private-service-connect-for-google-apis
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Description

Open File

Description

Private Service Connect for Google APIs lets workloads access googleapis.com services through private endpoints in a VPC. Configure it for VPCs that host sensitive or production workloads that call Google APIs.

Rationale

Using Private Service Connect keeps API traffic on Google private networking and allows firewall rules to control which workloads can reach Google APIs. This reduces reliance on public internet paths and supports stronger egress control.

Impact

Private Service Connect endpoints and DNS changes must be planned per VPC. Incorrect DNS or firewall configuration can prevent workloads from reaching Google APIs.

Audit

From Google Cloud CLI

  1. List VPC networks that host in-scope workloads:

    gcloud compute networks list --format="table(name)"

  2. Confirm that a Private Service Connect address exists for each in-scope VPC:

    gcloud compute addresses list \
        --filter="purpose=PRIVATE_SERVICE_CONNECT" \
        --format="table(name,address,purpose,network)"

... see more

Remediation

Open File

Remediation

From Google Cloud CLI

  1. Reserve an internal address for the Private Service Connect endpoint:

    gcloud compute addresses create psc-apis-endpoint \
        --global \
        --purpose=PRIVATE_SERVICE_CONNECT \
        --addresses={{private-ip-address}} \
        --network=projects/{{project-id}}/global/networks/{{vpc-name}}

  2. Create the forwarding rule for Google APIs:

    gcloud compute forwarding-rules create psc-apis \
        --global \
        --network={{vpc-name}} \
        --address=psc-apis-endpoint \
        --target-google-apis-bundle=all-apis

  3. Create or update private DNS zones so googleapis.com resolves to the endpoint IP address.

  4. Add firewall rules that allow only approved sources to reach the endpoint.

  5. Test workload access to required Google APIs before removing existing public egress paths.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CIS GCP v5.0.0 → 💼 3.9 Ensure Private Service Connect is Used for Access to Google APIs - Level 2 (Manual)1no data
💼 Cloudaware Framework → 💼 Secure Access61no data