Interfaces With Default VPC
More Info:
Lists all the network interfaces resources from those instances that have default VPC in use.Risk Level
LowAddress
SecurityCompliance Standards
CISGCPTriage and Remediation
Remediation
Using Console
Using Console
Here are the step by step instructions to remediate the “Interfaces With Default VPC” misconfiguration in GCP using GCP console:
- Open the GCP console and navigate to the VPC network page.
- Select the default VPC network from the list of VPC networks.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Subnets” section and click on “Edit” next to the default subnet.
- In the “Secondary IP ranges” section, click on “Add IP range”.
- Enter a new IP range that does not overlap with the existing IP range of the default subnet.
- Click “Save” to save the changes.
- Repeat steps 4-7 for any additional subnets in the default VPC network.
- Once all subnets have been updated, click on the “Save” button at the bottom of the page to save the changes.
Using CLI
Using CLI
The equivalent of a default VPC in GCP is a default network. To remediate the issue of interfaces with default VPC in GCP, you can follow these steps using GCP CLI:
-
List all the instances in the default network using the following command:
gcloud compute instances list --filter="networkInterfaces.networkIP:10.128.0.0/9"This command will list all the instances that are using the default network in GCP. -
For each instance that is using the default network, create a new VPC network and move the instance to the new network. You can use the following command to create a new VPC network:
gcloud compute networks create [NEW_NETWORK_NAME] --subnet-mode=autoReplace [NEW_NETWORK_NAME] with a name of your choice for the new network. -
Once the new network is created, move the instance to the new network using the following command:
gcloud compute instances move [INSTANCE_NAME] --zone=[ZONE] --destination-network=[NEW_NETWORK_NAME]Replace [INSTANCE_NAME] with the name of the instance that you want to move, [ZONE] with the zone where the instance is located, and [NEW_NETWORK_NAME] with the name of the new network that you created in step 2. -
Verify that the instance has been moved to the new network using the following command:
gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE] | grep networkThis command will display the network interface details for the instance. Verify that the network interface is now using the new network that you created in step 2. - Repeat steps 2-4 for all the instances that are using the default network.
Using Python
Using Python
The equivalent of AWS’s default VPC in GCP is the default network. The default network is a global resource that is automatically created when you create a new project in GCP. By default, all instances in a project are automatically connected to the default network unless you specify otherwise.To remediate the issue of instances with default network interfaces in GCP using Python, you can use the following steps:
-
Use the Google Cloud SDK to list all the instances in your project that are using the default network interface. You can do this by running the following command in your terminal:
gcloud compute instances list --filter="networkInterfaces.networkIP:10.128.0.0/9"This command will list all the instances that are using the default network interface and have an IP address in the range of 10.128.0.0/9. -
Use the Google Cloud SDK to create a new VPC network in your project. You can do this by running the following command in your terminal:
gcloud compute networks create [NETWORK_NAME] --subnet-mode=autoReplace [NETWORK_NAME] with the name you want to give to your new VPC network. -
Use the Google Cloud SDK to create a new subnet in your new VPC network. You can do this by running the following command in your terminal:
gcloud compute networks subnets create [SUBNET_NAME] --network=[NETWORK_NAME] --region=[REGION] --range=[CIDR_RANGE]Replace [SUBNET_NAME] with the name you want to give to your new subnet, [NETWORK_NAME] with the name of the VPC network you created in step 2, [REGION] with the region where you want to create the subnet, and [CIDR_RANGE] with the IP address range you want to assign to the subnet. -
Use the Google Cloud SDK to create a new instance template that uses the new VPC network interface. You can do this by running the following command in your terminal:
gcloud compute instance-templates create [TEMPLATE_NAME] --network=[NETWORK_NAME] --subnet=[SUBNET_NAME]Replace [TEMPLATE_NAME] with the name you want to give to your new instance template, [NETWORK_NAME] with the name of the VPC network you created in step 2, and [SUBNET_NAME] with the name of the subnet you created in step 3. -
Use the Google Cloud SDK to create new instances using the new instance template. You can do this by running the following command in your terminal:
gcloud compute instances create [INSTANCE_NAME] --source-instance-template=[TEMPLATE_NAME]Replace [INSTANCE_NAME] with the name you want to give to your new instance and [TEMPLATE_NAME] with the name of the instance template you created in step 4. -
Verify that the new instances are using the new VPC network interface by running the following command in your terminal:
gcloud compute instances list --filter="networkInterfaces.networkIP:[CIDR_RANGE]"Replace [CIDR_RANGE] with the IP address range you assigned to the subnet in step 3.