GENAI117

Overview

As Lead AI Solutions Architect at Cymbal Bank, a financial service provider that's part of the Cymbal Group, you are assigned to assist the team with enforcing security standards for the Zermatt Holiday Helper conversational agent, a ski-lesson booking tool offered to high-value, diamond-tier retail banking customers.

Your goal is to secure communication between middleware applications and Cymbal Bank's Conversational Agent by using private networks and authenticated interactions.

This involves configuring Private Service Connect (PSC) for secure API access, enforcing ID token-based authentication for webhooks, and using Service Directory to enable private access to webhooks hosted on Cloud Run.

Objectives

In this lab, you learn how to perform the following tasks:

• Set up Private Service Connect (PSC) for secure, private access to Conversational Agents APIs.
• Enforce ID token authentication for Cloud Run webhooks.
• Configure internal-only ingress for your Cloud Run service.
• Use Service Directory to configure a private webhook endpoint.
• Grant the necessary IAM roles for secure service discovery and access.

You need to ensure that by the end of this lab, your Conversational Agents agent securely interacts with internal services to meet Cymbal Bank's security requirements.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).
• Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Pixelbook, open an Incognito window to run this lab.

How to start your lab and sign in to the Google Cloud Console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

 

2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

 

 Tip: Open the tabs in separate windows, side-by-side.

 If you see the Choose an account page, click Use Another Account.

 

3. In the Sign in page, paste the username that you copied from the Connection Details panel. Then copy and paste the password.

Important: You must use the credentials from the Connection Details panel. Do not use your Qwiklabs credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

4. Click through the subsequent pages:

• Accept the terms and conditions.
• Do not add recovery options or two-factor authentication (because this is a temporary account).
• Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Task 1. Secure the agent, webhook, and tool endpoints

In this task, you ensure compliance with Cymbal Bank's well-defined security requirements for systems, which include:

• Traffic from your middleware applications to Conversational Agents APIs should traverse only private networks.
• Applications like your webhook and tool application should require authentication, and be accessed over private networks.

Here is a breakdown of the test-related activities in this task:

Configure Private Service Connect for access to Conversational Agents APIs

1. In the Google Cloud console, search for Private Service Connect, and select Private Service Connect in the search results.

2. Click Connect endpoint and configure it with the following settings:

   Setting	Value
   Target	Google APIs
   Scope	Global
   Bundle type	All Google Cloud APIs
   Endpoint name	labapis
   Network	default

3. In the IP address section, click Create IP address. Configure it as follows:

   Setting	Value
   Name	lab-psc-ip
   IP Address	10.100.1.100

4. Click Save.

5. Click Add endpoint.

6. From the Navigation menu (), go to VPC Network > VPC networks. In the VPC Networks list, click on default, and switch to the Subnets tab.

7. Click on the default entry for .

8. Click Edit, toggle Private Google Access to On, and click Save.

9. SSH into the private-client VM in your project. (Go to Compute Engine > VM Instances and click on the SSH button next to the private-client entry in the list. If prompted, click Authorize to allow SSH-in-browser to connect to VMs.)

10. Execute the following ping request to check the IP address associated with the global Conversational Agents endpoint:

    ping -c 1 -W 2 {{{ project_0.default_region }}}-dialogflow.googleapis.com

    This should show that the DNS used by this machine resolves the Conversational Agents endpoint to the PSC endpoint you configured (10.100.1.100). The ping won't complete, but that's fine.

11. Run the traffic generation script with the following command:

    cp /tmp/test_conversations.py . export NUM_CONVERSATIONS=30 export LOCATION={{{ project_0.default_region }}} python3 test_conversations.py

Note: The script test_conversations.py will generate conversations with a conversational agent that has already been deployed for you.

12. After running the traffic generation script on the private-client VM:

    • Open the Conversational Agents console in an incognito tab.
    • Select your project, , and then select your agent, Booking Lesson Flow - Test Agent.
    • Click on Conversation history in the left-hand menu.

    Confirm that new session entries (with today's date) appear, indicating a successful interaction between the VM and the Conversational Agents agent over PSC.

Task 2. Secure webhooks with Auth and private Cloud Run access

Configure the Cloud Run service to require authentication

1. In the Google Cloud console, from the Navigation menu (), go to the Cloud Run page.
2. Click on the name of the lab-agent-tool-and-webhook service.
3. Click on the Security tab and select Require authentication.
4. Click Save and wait for 30 seconds to allow the change to persist.

Note: You can ignore the error message Unable to fetch IAM policy.

5. Return to the Conversational Agents console.
6. Select your project, , and then select your agent, Booking Lesson Flow - Test Agent.
7. Click on Test Cases in the left-hand menu.
8. Click Book Lesson Flow - Test and observe the Expected conversation. Take note of the expected sequence of inputs that a user is expected to provide during the test, namely:
   • Hi
   • Today
   • Advanced
   • Hugo / Ingrid, etc. (The name of one of the ski instructors)
9. Click Toggle Simulator, and try starting a similar conversation by entering Hi at the prompt. You should get an error showing that the webhook rejected the request (this is due to the lack of authentication).
10. Click on Flows and select Webhooks > book_lesson. On the Webhook page, scroll down to Service Agent Auth, and select ID Token to enable authentication.
11. Click Save.
12. Rerun your test case – it should work now! If it doesn't work immediately, re-check your work and wait for 1-2 minutes, then try again. Sometimes there's a brief delay until the authentication settings take effect.

Configure the Cloud Run service for internal traffic

13. In the Google Cloud console, go to the Cloud Run page, click on the lab-agent-tool-and-webhook service in the list.
14. On the Networking tab, under Ingress, select Internal and click Save. This configures the service so that it only allows traffic coming from the VPC network and connected private networks; it disallows traffic from the public Internet.
15. From the Navigation menu (), go to VPC Network > Serverless VPC access. On the Serverless VPC access page, click on the lab-vpc-connector, and click the Edit () icon.
16. Change the Minimum Instances from 2 to 3 and maximum from 3 to 5, then click Save. Wait for the connector to finish updating.
17. Once the connector shows a Status of Connector is deployed and ready to receive traffic, return to the Conversational Agents console and run your test case. It should complete successfully.

Note: Your agent is able to talk to the Cloud Run service via internal networking by using the Serverless VPC connector that was set up at the lab startup. So there was no service interruption when you reconfigured the service to no longer accept requests from the public Internet.

Task 3. Enable private access for Conversational Agents to webhooks

In this task, you create a namespace for to enable private access for Conversational Agents to the webhooks.

1. Go to the Service Directory in the Cloud console.

2. Click the namespaces list link to get to the namespace creation page.

3. Click Create namespace and use following settings:

   Setting	Value
   Region
   Namespace name	sd-namespace-lab

4. Click Create.

5. Return to Service Directory (you can select it in the left-hand menu), click on Register service, and configure it with the following settings (you may need to click Next at some point to proceed with the configuration):

   Setting	Value
   Service type	Standard
   Region
   Namespace	sd-namespace-lab
   Service name	private-webhook-lab

6. Click Create.

7. Once the private-webhook-lab service is created, click the More () icon in the Actions column, and select Add endpoint to service it with the following settings:

   Setting	Value
   Endpoint name	privatewebhookep
   IP address	10.100.1.200
   Port	443
   Associated VPC Network	Choose from the list > default

8. Click Create.

9. Navigate to IAM & Admin > IAM in the Google Cloud console.

10. Select the checkbox for Include Google-provided role grants.

11. Find the service account .

12. In the IAM list, click the Edit () icon associated with .

13. Click + Add Another Role.

14. Assign the following roles:

    • Service Directory Viewer
    • Private Service Connect Authorized Service

15. Click Save to apply the changes.

16. Go to the Conversational Agents console.

17. Select your project and agent.

18. In the left-hand menu, click on Flows > Manage > Webhooks.

19. Click the + Create button.

20. Fill out the form with the following values:

Setting	Value
Display name	private-webhook-ep
Type	Service Directory
Service directory
Webhook URL

21. Click Save.

Note: This configuration points the webhook to the Service directory entry, which would result in Conversational Agents calling a server at 10.100.1.200. That server would be an SSL server hosting your webhook application.

You don't need to set up that server and test for the purposes of this lab; getting the networking configuration right is enough.

Congratulations

You secured the communication of Cymbal Bank's Conversational Agent by configuring Private Service Connect for private API access and enabling ID token authentication for Cloud Run services, thereby ensuring secure interactions.

End your lab

When you have completed your lab, click End Lab. Qwiklabs removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual last updated May 23, 2025

Lab last tested May 23, 2025

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.