Projects should only use non-default VPC networks

google_compute_network
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

To prevent use of the default network, a project should not have a default network.

Default value

By default, for each project, a default network is created.

Rationale

The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:

  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.

These automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.

Furthermore, the default network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it’s not possible to use Cloud VPN or VPC Network Peering with the default network.

Based on organization security and networking requirements, the organization should create a new network and delete the default network.

Impact

When an organization deletes the default network, it may need to migrate services onto a new network.

Remediation

From the console

  1. Go to the VPC networks page.
  2. Click the network named default.
  3. On the network detail page, click EDIT.
  4. Click DELETE VPC NETWORK.
  5. If needed, create a new network to replace the default network.

From the command line

  1. Delete the default network:

    gcloud compute networks delete default

  2. If needed, create a new network to replace it:

    gcloud compute networks create NETWORK_NAME

Prevention

You can prevent the default network and its insecure firewall rules from being created by setting up an Organization Policy to skip default network creation at https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation.

References

  1. https://cloud.google.com/compute/docs/networking#firewall_rules
  2. https://cloud.google.com/compute/docs/reference/latest/networks/insert
  3. https://cloud.google.com/compute/docs/reference/latest/networks/delete
  4. https://cloud.google.com/vpc/docs/firewall-rules-logging
  5. https://cloud.google.com/vpc/docs/vpc#default-network
  6. https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete
PREVIEWING: dgreen15/github-error-fix