Skip Default VPC Network Creation

More Info:

Ensure that “Skip Default Network Creation” constraint policy is enforced for your Google Cloud Platform (GCP) organizations in order to follow security best practices and meet networking requirements. Once enabled, this constraint skips the creation of the default Virtual Private Cloud (VPC) network and related resources during Google Cloud project creation.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in your GCP console.
Run the following command to list all the existing VPC networks in your project:

gcloud compute networks list

If you do not have any custom VPC network created, you can create a new one using the following command:

gcloud compute networks create <network-name> --subnet-mode=auto

Note: Replace <network-name> with a name of your choice.

If you have an existing custom VPC network, you can use that instead of creating a new one.
Once the custom VPC network is created, you can create subnets in it using the following command:

gcloud compute networks subnets create <subnet-name> --network=<network-name> --region=<region>

Note: Replace <subnet-name> with a name of your choice, <network-name> with the name of the custom VPC network created in step 3 or 4, and <region> with the region where you want to create the subnet.

You can repeat step 5 to create multiple subnets in the custom VPC network.
Once the subnets are created, you can launch your instances in the custom VPC network and the subnets created in it.

By following these steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python, you can follow the below steps:

First, you need to create a new VPC network in GCP. You can use the following Python code to create a new VPC network:

from google.cloud import compute_v1

def create_vpc_network(project_id, network_name, subnet_name, region):
    """
    This function creates a new VPC network and subnet in the specified region.
    """
    client = compute_v1.NetworksClient()
    subnet_client = compute_v1.SubnetworksClient()

    # Build the network object
    network = {
        "name": network_name,
        "auto_create_subnetworks": False,
    }

    # Create the network
    operation = client.insert(project=project_id, body=network)
    operation.wait()

    # Build the subnet object
    subnet = {
        "name": subnet_name,
        "ip_cidr_range": "10.0.0.0/24",
        "region": region,
        "network": f"projects/{project_id}/global/networks/{network_name}",
    }

    # Create the subnet
    subnet_operation = subnet_client.insert(project=project_id, region=region, body=subnet)
    subnet_operation.wait()

    print(f"Created VPC network '{network_name}' and subnet '{subnet_name}' in region '{region}'.")

Once you have created the new VPC network, you can modify your GCP project to use this new network as the default VPC network. You can use the following Python code to modify the project:

from google.cloud import compute_v1

def set_default_network(project_id, network_name):
    """
    This function sets the specified VPC network as the default network for the project.
    """
    client = compute_v1.ProjectsClient()

    # Build the project object
    project = {
        "name": f"projects/{project_id}",
        "defaultNetworkTier": "PREMIUM",
        "autoCreateNetwork": False,
        "network": f"projects/{project_id}/global/networks/{network_name}",
    }

    # Update the project
    operation = client.update(project=project["name"], body=project)
    operation.wait()

    print(f"Set VPC network '{network_name}' as the default network for project '{project_id}'.")

Finally, you can call the above two functions to create a new VPC network and set it as the default network for your GCP project. You can use the following Python code to do this:

project_id = "your-project-id"
network_name = "your-network-name"
subnet_name = "your-subnet-name"
region = "your-region"

create_vpc_network(project_id, network_name, subnet_name, region)
set_default_network(project_id, network_name)

By following the above steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Skip Default VPC Network Creation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation