GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Skip Default VPC Network Creation
More Info:
Ensure that “Skip Default Network Creation” constraint policy is enforced for your Google Cloud Platform (GCP) organizations in order to follow security best practices and meet networking requirements. Once enabled, this constraint skips the creation of the default Virtual Private Cloud (VPC) network and related resources during Google Cloud project creation.
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Skip Default VPC Network Creation” in GCP using the GCP console, follow the below steps:
- Open the GCP console and navigate to the VPC networks page.
- Click on the “Create VPC network” button.
- In the “Name” field, enter a name for the VPC network.
- In the “IPv4 CIDR block” field, enter the CIDR block for the VPC network. For example, you can use the CIDR block 10.0.0.0/16.
- Under the “Subnets” section, click on the “Add subnet” button.
- In the “Name” field, enter a name for the subnet.
- In the “Region” field, select the region where you want to create the subnet.
- In the “IP address range” field, enter the IP address range for the subnet. For example, you can use the IP address range 10.0.0.0/24.
- Click on the “Create” button to create the VPC network and the subnet.
By following the above steps, you have successfully remediated the misconfiguration “Skip Default VPC Network Creation” in GCP using the GCP console.
To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in your GCP console.
- Run the following command to list all the existing VPC networks in your project:
gcloud compute networks list
- If you do not have any custom VPC network created, you can create a new one using the following command:
gcloud compute networks create <network-name> --subnet-mode=auto
Note: Replace <network-name> with a name of your choice.
-
If you have an existing custom VPC network, you can use that instead of creating a new one.
-
Once the custom VPC network is created, you can create subnets in it using the following command:
gcloud compute networks subnets create <subnet-name> --network=<network-name> --region=<region>
Note: Replace <subnet-name> with a name of your choice, <network-name> with the name of the custom VPC network created in step 3 or 4, and <region> with the region where you want to create the subnet.
-
You can repeat step 5 to create multiple subnets in the custom VPC network.
-
Once the subnets are created, you can launch your instances in the custom VPC network and the subnets created in it.
By following these steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI.
To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python, you can follow the below steps:
- First, you need to create a new VPC network in GCP. You can use the following Python code to create a new VPC network:
from google.cloud import compute_v1
def create_vpc_network(project_id, network_name, subnet_name, region):
"""
This function creates a new VPC network and subnet in the specified region.
"""
client = compute_v1.NetworksClient()
subnet_client = compute_v1.SubnetworksClient()
# Build the network object
network = {
"name": network_name,
"auto_create_subnetworks": False,
}
# Create the network
operation = client.insert(project=project_id, body=network)
operation.wait()
# Build the subnet object
subnet = {
"name": subnet_name,
"ip_cidr_range": "10.0.0.0/24",
"region": region,
"network": f"projects/{project_id}/global/networks/{network_name}",
}
# Create the subnet
subnet_operation = subnet_client.insert(project=project_id, region=region, body=subnet)
subnet_operation.wait()
print(f"Created VPC network '{network_name}' and subnet '{subnet_name}' in region '{region}'.")
- Once you have created the new VPC network, you can modify your GCP project to use this new network as the default VPC network. You can use the following Python code to modify the project:
from google.cloud import compute_v1
def set_default_network(project_id, network_name):
"""
This function sets the specified VPC network as the default network for the project.
"""
client = compute_v1.ProjectsClient()
# Build the project object
project = {
"name": f"projects/{project_id}",
"defaultNetworkTier": "PREMIUM",
"autoCreateNetwork": False,
"network": f"projects/{project_id}/global/networks/{network_name}",
}
# Update the project
operation = client.update(project=project["name"], body=project)
operation.wait()
print(f"Set VPC network '{network_name}' as the default network for project '{project_id}'.")
- Finally, you can call the above two functions to create a new VPC network and set it as the default network for your GCP project. You can use the following Python code to do this:
project_id = "your-project-id"
network_name = "your-network-name"
subnet_name = "your-subnet-name"
region = "your-region"
create_vpc_network(project_id, network_name, subnet_name, region)
set_default_network(project_id, network_name)
By following the above steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python.