VPC Service Controls can help you mitigate the risk of data exfiltration from CX Agent Studio. Use VPC Service Controls to create a service perimeter that protects the resources and data that you specify. For example, when you use VPC Service Controls to protect CX Agent Studio, the following artifacts cannot leave your service perimeter:
- Agent application data
- runSession requests and responses
CX Agent Studio allows interacting with other Google Cloud resources such as DLP redaction templates, BigQuery for conversation exporting, and Data Stores. These resources are in your control and must be available under the same VPC-SC perimeter as the agent application.
Limitations
The following limitations apply:
- Tools and callbacks are not able to send requests to arbitrary HTTP endpoints when VPC-SC is enabled, as this may risk exfiltrating data outside the VPC-SC perimeter. You have to configure Service Directory for private network access.
- Audio recordings cannot be written to Cloud Storage buckets outside the perimeter.
- Conversations cannot be written to BigQuery datasets outside the perimeter.
- DLP redaction templates outside the perimeter cause failures in redacting conversation contents.
- OpenAPI tools cannot reference authentication keys using secrets that are outside the perimeter.
- Data Store tools that specify a data store outside the perimeter fail to execute.
- Flow-based agents that specify an agent resource outside the perimeter fail when called.
- Attempting to import an agent application from a Cloud Storage bucket outside the perimeter fails.
- Attempting to export an agent application to a Cloud Storage bucket outside the perimeter fails.
Service perimeter creation
When you create a service perimeter,
include both CX Agent Studio (ces.googleapis.com) and
CX Insights (contactcenterinsights.googleapis.com)
as protected services.
You aren't required to include any additional services
for CX Agent Studio to function.
However, CX Agent Studio won't be able to reach resources
outside the perimeter,
such as files in a Cloud Storage bucket that is outside the perimeter.
For more information about creating a service perimeter, see Creating a service perimeter in the VPC Service Controls documentation.
VPC Service Controls documentation for optional dependencies:
Using Service Directory for private network access
CX Agent Studio integrates with Service Directory private network access, so it can connect to OpenAPI tools targets inside your VPC network. This keeps the traffic within the Google Cloud network and enforces Identity and Access Management and VPC Service Controls.
To set up a tool targeting a private network:
Follow Service Directory private network configuration to configure your VPC network and Service Directory endpoint.
The Customer Engagement Suite Service Agent service account with the following address must exist for your agent project:
service-agent-project-number@gcp-sa-ces.iam.gserviceaccount.com
Grant the following roles to Customer Engagement Suite Service Agent service account in the project where your Service Directory is located:
servicedirectory.viewerservicedirectory.pscAuthorizedService
Additionally, if your Service Directory is in a different project than your agent application, you also need to grant the
servicedirectory.viewerrole to the Customer Engagement Suite Service Agent account in the project that hosts your agent application.Provide Service Directory service along with the URL and optional authentication information when creating the tool. This field is available in the advanced settings for the tool.
To troubleshoot issues, you can set up a private uptime check to check that your Service Directory is correctly configured.