GCP VPC Network Security Audit

Cloud resource audit for Google Cloud Platform VPC Network architecture,

firewall posture, and connectivity. This skill evaluates provider-specific

GCP networking constructs — global VPC Network design, firewall rule

priority evaluation, hierarchical firewall policies, Cloud NAT egress

control, Cloud Interconnect VLAN attachments, Shared VPC host/service

project topology, and Cloud Router BGP sessions — not generic cloud

networking advice.

Scope: auto-mode versus custom-mode VPC Networks, subnet IP ranges,

firewall rules with target tags and service accounts, Cloud NAT port

allocation, Cloud Interconnect and Cloud VPN connectivity, Shared VPC

cross-project networking, Cloud Router dynamic routing. Out of scope:

Cloud CDN, Cloud Armor WAF, load balancer URL maps, Cloud DNS.

Reference references/cli-reference.md for read-only gcloud commands

and references/vpc-architecture.md for the GCP global VPC model and

firewall rule evaluation order.

When to Use

VPC Network architecture review — evaluating auto-mode versus custom-mode selection, subnet IP ranges, and Private Google Access configuration
Post-migration audit — verifying firewall rules, Cloud NAT egress, and Cloud Router routes after workload migration
Security assessment — identifying permissive firewall rules using target tags, missing hierarchical firewall policies, or disabled VPC Flow Logs
Connectivity troubleshooting — diagnosing Cloud Interconnect VLAN attachment failures, Cloud VPN tunnel errors, or Shared VPC permission issues
Compliance preparation — documenting VPC Network segmentation, firewall rule justification, and VPC Flow Log retention
Cost optimization — identifying unused external IPs, over-provisioned Cloud NAT gateways, and idle Cloud Interconnect attachments

Prerequisites

gcloud CLI authenticated (gcloud auth list shows active account)
IAM permissions — Viewer role on target project, or granular read: compute.networks.get, compute.firewalls.list, compute.routers.get, compute.interconnects.get, compute.subnetworks.list, compute.addresses.list. Shared VPC: Viewer on host and service projects. Hierarchical firewall policies: compute.firewallPolicies.get at org/folder level
Target scope — project ID, organization ID (for hierarchical firewall policies), Shared VPC host project if applicable
VPC Flow Logs — Step 1 checks subnet-level enablement. If no subnets have VPC Flow Logs, document as Critical

Procedure

Follow these six steps sequentially. Each builds on prior findings,

moving from inventory through security analysis to optimization.

Step 1: VPC Network Inventory and Design Assessment

Enumerate all VPC Networks in the target project and assess design.

gcloud compute networks list --project <project-id>
gcloud compute networks describe <network-name> --project <project-id>
gcloud compute networks subnets list --network <network-name>

For each VPC Network, evaluate:

Auto-mode vs custom-mode: Auto-mode VPC Networks create one subnet per region with predetermined /20 ranges from 10.128.0.0/9. Custom-mode requires explicit subnet creation. Production environments should use custom-mode. Auto-mode in production is a High finding.
Global scope: GCP VPC Networks are global — subnets are regional but the network spans all regions. Unlike AWS/Azure, a single VPC Network hosts subnets in every region without peering. Verify subnet distribution matches workload regions.
Subnet IP ranges: Primary ranges for VMs, secondary ranges for GKE Pod and Service CIDRs (alias IP ranges). Check for overlapping ranges and sufficient growth space.
Private Google Access: Enables VMs without external IPs to reach Google APIs. Disabled Private Google Access on internal-only subnets is a Medium finding.
VPC Flow Logs: Per-subnet enablement in GCP (not VPC-level like AWS). Subnets without VPC Flow Logs lack traffic visibility — flag as High for production.

Step 2: Firewall Rule Audit

Audit VPC Network firewall rules using GCP's priority-based evaluation and hierarchical firewall policies.

gcloud compute firewall-rules list --filter="network:<network-name>"
gcloud compute firewall-rules describe <rule-name>

Implied rules: Every VPC Network has implied deny-all-ingress and allow-all-egress at priority 65535. Not visible in gcloud compute firewall-rules list but active. Custom rules at 0–65534 override them.
Priority conflicts: An allow at priority 1000 overrides a deny at 2000. Verify deny rules have lower priority numbers than conflicting allows.
Target tags vs service accounts: Target tags are mutable labels — any project editor can change VM tags to bypass firewall rules. Service account targets are IAM-controlled and more secure. Flag tag-based rules on sensitive workloads as Medium.
Source ranges: Rules permitting ingress from 0.0.0.0/0. SSH/RDP from 0.0.0.0/0 is Critical. Verify broad ranges are justified.
Disabled rules: GCP firewall rules can be disabled without deletion. A disabled deny rule leaves a security gap.
Default network rules: The default VPC Network includes pre-created rules allowing ICMP, SSH, RDP, and internal traffic. Audit these permissive rules.

Hierarchical firewall policies:

gcloud compute firewall-policies list --organization <org-id>
gcloud compute firewall-policies describe <policy-name>
gcloud compute firewall-policies rules list --firewall-policy <policy-name>

Hierarchical firewall policies apply at organization or folder level and evaluate before VPC Network firewall rules. A deny in a hierarchical policy blocks traffic regardless of VPC-level allows. A goto_next action delegates to VPC-level rules. Verify hierarchical policies enforce org-wide baselines (e.g., block SSH from internet).

Step 3: Cloud NAT and Egress Analysis

Audit Cloud NAT gateways for egress capacity, port allocation, and logging.

gcloud compute routers nats list --router <router-name> --region <region>
gcloud compute routers nats describe <nat-name> --router <router-name> --region <region>

Cloud NAT provides outbound internet access for VMs without external IPs, configured on a Cloud Router.

IP allocation method: Automatic (GCP assigns IPs) or manual (reserved IPs). Manual provides predictable egress IPs for third-party allowlisting.
Port allocation: Default 64 minimum ports per VM. Port exhaustion drops connections. Check minPortsPerVm/maxPortsPerVm. High-connection workloads need increased allocations. Enable Dynamic Port Allocation for bursty workloads.
Endpoint-Independent Mapping: When enabled, Cloud NAT uses consistent IP:port mappings, improving protocol compatibility. Disabled by default.
Cloud NAT logging: Verify logConfig.enable. Options: ERRORS_ONLY, TRANSLATIONS_AND_ERRORS (recommended), ALL. Missing NAT logging reduces egress visibility.
Subnet coverage: Cloud NAT applies to all subnets or specific subnets. Verify production subnets are covered.

Step 4: Connectivity Analysis

Evaluate hybrid and cross-project connectivity via Cloud Interconnect, Cloud VPN, and Shared VPC.

Cloud Interconnect:

gcloud compute interconnects list
gcloud compute interconnects describe <interconnect-name>
gcloud compute interconnects attachments list --region <region>
gcloud compute interconnects attachments describe <attachment-name> --region <region>

VLAN attachment state: Verify state: ACTIVE and operationalStatus: OS_ACTIVE. UNPROVISIONED_ATTACHMENT means partner provisioning incomplete. OS_LACP_DOWN indicates link aggregation failure.
BGP session health: Each VLAN attachment peers with a Cloud Router via BGP. UP is healthy, DOWN indicates ASN mismatch, authentication failure, or network issue. Verify primary and redundant sessions.
MED values: Multi-Exit Discriminator influences route preference across multiple Cloud Interconnect attachments. Lower MED preferred. Verify values match active/standby design.
Redundancy: Production requires connections in two edge availability domains. Single-connection topology is a High finding.

Cloud VPN:

gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels describe <tunnel-name> --region <region>
gcloud compute vpn-gateways list

Tunnel status: Should show status: ESTABLISHED. FIRST_HANDSHAKE indicates IKE negotiation in progress. NO_INCOMING_PACKETS suggests on-premises misconfiguration.
HA VPN: High Availability VPN provides two tunnels for 99.99% SLA. Use HA VPN for production (Classic VPN offers no redundancy SLA).

Shared VPC:

gcloud compute shared-vpc get-host-project <service-project-id>
gcloud compute shared-vpc list-associated-resources <host-project-id>
gcloud compute networks subnets get-iam-policy <subnet> --region <region> --project <host-project>

Host/service project model: Shared VPC lets a host project share VPC Network subnets with service projects. Verify host project designation and service project associations.
Subnet-level IAM: Shared VPC permissions granted per subnet via compute.networkUser role. Verify service accounts access only intended subnets.
Private Google Access inheritance: Service projects inherit settings from host project subnets. Verify enablement.

Step 5: Cloud Router and Routing Validation

Audit Cloud Router configuration for route advertisements, BGP settings, and dynamic routing mode.

gcloud compute routers list --project <project-id>
gcloud compute routers describe <router-name> --region <region>
gcloud compute routers get-status <router-name> --region <region>

Dynamic routing mode: regional or global. Regional: Cloud Routers advertise/learn routes only within their region. Global: routes propagate across all regions. Multi-region workloads accessing on-premises via single-region Cloud Interconnect require global mode.
Custom route advertisements: Default: advertise all subnets. Custom mode overrides — verify no subnets are accidentally excluded from advertisements.
Graceful restart: Preserves forwarding during Cloud Router updates. Enable for production routers.
AS path analysis: Review get-status learned routes and AS paths. Unexpected paths indicate route leaks or suboptimal selection.
Route priorities: Custom routes use priority 0–65535 (default 1000). Lower preferred. Verify priorities create intended active/standby or ECMP behavior.
Learned route limits: Cloud Router has per-region learned route limits. Approaching limits causes drops — check get-status for count versus limits.

Step 6: Report and Optimization

Compile findings and identify optimization opportunities.

gcloud compute addresses list --filter="status=RESERVED" --project <project-id>
gcloud compute instances list --filter="networkInterfaces[].accessConfigs[].natIP:*"
gcloud compute firewall-rules list --filter="disabled=true"

Unused static IPs: Reserved external IPs not associated with resources incur charges. Release unused addresses.
Disabled firewall rules: Create audit confusion. Delete or document justification.
Over-permissive tag-based rules: Firewall rules targeting broad tags on high-privilege workloads should migrate to service account targets.
IP address utilization: GCP reserves 4 addresses per subnet. Subnets with <10% available are exhaustion risks. Over-provisioned subnets waste space in Shared VPC.
Cloud NAT consolidation: Multiple gateways per region unnecessary unless subnets need different configs.

Compile the findings report using the Report Template section.

Threshold Tables

Firewall Rule Severity

Finding	Severity	Rationale
---------	----------	-----------
Firewall rule allows SSH (22) from 0.0.0.0/0	Critical	Shell access from internet
Firewall rule allows RDP (3389) from 0.0.0.0/0	Critical	Remote desktop from internet
Firewall rule allows all ports from 0.0.0.0/0	Critical	No port restriction on ingress
Target tag on sensitive workload instead of service account	High	Tags mutable by project editors
Hierarchical firewall policy missing at org level	High	No organization-wide baseline
VPC Flow Logs disabled on production subnet	High	No traffic visibility
Firewall rule with priority 0	High	Audit for broad scope
Disabled firewall rule undocumented	Medium	Audit confusion risk
Auto-mode VPC Network in production	Medium	Uncontrolled IP allocation
Firewall rule with >20 source ranges	Medium	Excessive complexity

Cloud Interconnect Health

Metric	Severity	Action
--------	----------	--------
VLAN attachment state not ACTIVE	Critical	No traffic flow — engage provider
BGP session DOWN	High	Check ASN, authentication, link
Single edge availability domain	High	No redundancy — add second
Learned route count >80% limit	Medium	Approaching route capacity

Cloud NAT Port Utilization

Available Ports (%)	Severity	Action
---------------------	----------	--------
<10%	Critical	Connection drops — increase allocation
10–25%	High	Enable Dynamic Port Allocation
25–50%	Medium	Monitor trend
>50%	Low	Healthy

Decision Trees

Is This Firewall Rule Overly Permissive?

Firewall rule under review
├── Source range is 0.0.0.0/0?
│   ├── Yes
│   │   ├── Port = 22 (SSH) or 3389 (RDP)?
│   │   │   ├── Yes → CRITICAL: Use IAP tunnel instead
│   │   │   └── No
│   │   │       ├── Port = 443 on load balancer backend?
│   │   │       │   ├── Yes → Acceptable for public services
│   │   │       │   └── No → HIGH: Review necessity
│   │   │       └── All ports (all protocols)?
│   │   │           └── CRITICAL: Unrestricted ingress
│   │   └── Is rule disabled?
│   │       ├── Yes → LOW: Verify it should remain disabled
│   │       └── No → Classify severity by port scope
│   └── No (specific CIDR or service account source)
│       ├── Target uses service account? → Stronger binding
│       └── Target uses network tag?
│           ├── Tag on sensitive workload? → MEDIUM: Migrate to service account
│           └── Tag on dev/test? → LOW: Acceptable

Is This VPC Network Design Following GCP Best Practices?

VPC Network under review
├── Custom-mode?
│   ├── No (auto-mode) → MEDIUM for production
│   └── Yes
│       ├── Subnets in required regions? → Verify
│       ├── VPC Flow Logs on production subnets?
│       │   ├── No → HIGH: No traffic visibility
│       │   └── Yes → Check aggregation and sampling
│       └── Private Google Access?
│           ├── No → MEDIUM: Internal VMs cannot reach APIs
│           └── Yes → Good
├── Shared VPC?
│   ├── Yes → Audit host designation, subnet IAM, associations
│   └── No → OK for single-project
├── Hierarchical firewall policy?
│   ├── No → HIGH: No org-wide baseline
│   └── Yes → Audit goto_next vs deny
└── Dynamic routing mode?
    ├── Regional + multi-region → Switch to global
    └── Global → Verify cross-region propagation

Report Template

GCP VPC NETWORK AUDIT REPORT
================================
Project: [project-id] ([project-name])
Organization: [org-id or N/A]
VPC Network: [network-name]
Routing Mode: [regional/global]
Network Type: [auto-mode/custom-mode]
Audit Date: [timestamp]
Performed By: [operator/agent]

VPC NETWORK ARCHITECTURE:
Subnets: [total] across [n] regions
Type: [auto-mode/custom-mode]
Private Google Access: [enabled on n/total subnets]
VPC Flow Logs: [enabled on n/total subnets]

FIREWALL RULES:
Total: [n] | With 0.0.0.0/0 ingress: [n] | Disabled: [n]
Target type: tag-based:[n] service-account:[n] all-instances:[n]
Hierarchical policies: [n at org] [n at folder]

CLOUD NAT:
Gateways: [n] | Covered subnets: [n]
IP allocation: [automatic/manual] | Port min: [n]
NAT logging: [enabled/disabled]

CONNECTIVITY:
Cloud Interconnect: [n attachments] | BGP: [UP/DOWN]
Cloud VPN: [n tunnels] | Status: [ESTABLISHED/other]
Shared VPC: [host-project or N/A] | Service projects: [n]

CLOUD ROUTER:
Routers: [n] | Dynamic mode: [regional/global]
Custom advertisements: [yes/no]
Graceful restart: [enabled/disabled]
Learned routes: [n] / [limit]

OPTIMIZATION:
Unused static IPs: [n] | Disabled firewall rules: [n]
Tag-based rules on sensitive workloads: [n]
Cloud NAT port utilization: [assessment]

FINDINGS:
1. [Severity] [Category] — [Description]
   Resource: [resource-name] → Recommendation: [action]

RECOMMENDATIONS: [prioritized by severity]
NEXT AUDIT: [CRITICAL: 30d, HIGH: 90d, clean: 180d]

Troubleshooting

VPC Flow Logs Not Enabled on Subnets

VPC Flow Logs in GCP are subnet-level, not VPC-level. Each subnet must

be individually enabled. Enabling is non-disruptive. Missing VPC Flow

Logs on production subnets is a High finding.

Firewall Rule Not Applied to Expected VMs

Verify the target: if using a target tag, confirm the tag is on the VM

(tags are case-sensitive). If using a service account target, verify the

VM runs with that account. Firewall rules with no target apply to all

VMs in the VPC Network.

Cloud Interconnect VLAN Attachment Not Active

Check state and operationalStatus. UNPROVISIONED_ATTACHMENT means

partner provisioning incomplete. OS_LACP_DOWN indicates Layer 2

failure. Verify Cloud Router BGP session has correct ASN and IP pair.

Shared VPC Service Project Cannot Deploy to Subnet

Verify the deploying service account has compute.networkUser on the

specific subnet in the host project. Subnet-level IAM is required even

if the service project is associated with the host project.

Cloud Router BGP Session Flapping

Check Cloud Logging with resource.type="gce_router". Common causes:

on-premises router exceeding learned route limit, authentication key

mismatch, or MTU issues on the Cloud Interconnect link. Enable graceful

restart to preserve forwarding during brief flaps.

Gcp Networking Audit

概述