GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Legacy Networks Should Not Be Used
More Info:
Ensure legacy networks do not exist for a project.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Legacy Networks Should Not Be Used” in GCP using GCP console, follow the below steps:
- Open the GCP console and go to the VPC networks page.
- Select the legacy network that you want to remediate.
- In the top menu, click “Delete”.
- Review the list of resources that will be deleted with the legacy network. If you are sure you want to delete the legacy network and all its resources, click “Delete”.
- Repeat this process for all legacy networks in your GCP project.
Alternatively, you can create a new VPC network and migrate your resources to it. To do so, follow the below steps:
- Open the GCP console and go to the VPC networks page.
- Click “Create VPC network”.
- Enter a name for the new VPC network.
- Choose a subnet mode and specify the IP range for the new VPC network.
- Click “Create”.
- Migrate your resources to the new VPC network by updating their network settings to use the new VPC network.
Note: Before deleting a legacy network, make sure that all resources that depend on it have been migrated to the new VPC network.
To remediate the “Legacy Networks Should Not Be Used” misconfiguration in GCP using GCP CLI, follow these steps:
-
Open the GCP Cloud Shell by clicking on the Activate Cloud Shell button on the top right corner of the GCP Console.
-
Run the following command to list all the VPC networks in your project:
gcloud compute networks list -
Identify the legacy network(s) in the list. Legacy networks are identified by the “LEGACY” network type.
-
Delete the legacy network(s) using the following command:
gcloud compute networks delete [LEGACY_NETWORK_NAME]Replace [LEGACY_NETWORK_NAME] with the name of the legacy network you want to delete.
-
Confirm the deletion by typing “y” when prompted.
Note: Deleting a VPC network deletes all the subnets, routes, and firewall rules associated with the network. Therefore, make sure to review the network configuration and any dependencies before deleting it.
To remediate the misconfiguration “Legacy Networks Should Not Be Used” in GCP using Python, you can follow the below steps:
Step 1: Install the required packages:
pip install google-cloud-compute
Step 2: Authenticate with GCP using the below command:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/your/credentials.json
Step 3: Write a Python script to remediate the misconfiguration:
from google.cloud import compute_v1
# Create a client object for Compute Engine API
compute_client = compute_v1.ComputeClient()
# Get the list of networks
networks = compute_client.networks().list(project="your-project-id", region="your-region").execute()
# Loop through the networks and check if any of them are legacy networks
for network in networks["items"]:
if network["kind"] == "compute#network" and "legacy" in network["name"]:
# If the network is a legacy network, delete it
compute_client.networks().delete(project="your-project-id", network=network["name"]).execute()
print("Legacy network {} has been deleted.".format(network["name"]))
Step 4: Replace “your-project-id” and “your-region” with your actual project ID and region where the legacy networks are located.
Step 5: Run the Python script to delete all the legacy networks in the specified project and region.
Note: Before deleting any network, make sure that it is not being used by any resources in your project.