Profile Applicability:
Level 2
Description:
To enhance security, it is recommended to delete the default network in Google Cloud projects. The default network comes preconfigured with insecure firewall rules and a predefined IP range that limits its utility for secure and scalable networking.
Rationale:
The default network automatically includes the following insecure firewall rules:
default-allow-internal: Allows unrestricted ingress traffic for all protocols and ports within the network.
default-allow-ssh: Permits ingress traffic on TCP port 22 (SSH) from any source.
default-allow-rdp: Permits ingress traffic on TCP port 3389 (RDP) from any source.
default-allow-icmp: Allows unrestricted ICMP ingress traffic from any source.
These rules are not logged by default and pose a significant security risk. Additionally, the default network uses auto mode, making it incompatible with features like Cloud VPN and VPC Network Peering. Deleting the default network ensures that organizations can configure custom networks aligned with their security and networking requirements.
Impact:
Organizations must migrate all assets from the default network to a newly created network before deleting it. This ensures uninterrupted operations while adhering to security best practices.
Default Value:
By default, a default network is created for each project.
Audit Steps:
Using Google Cloud Console:
Navigate to the VPC networks page at Google Cloud Console: VPC Networks
Verify that no network named default exists in the list.
Using Google Cloud CLI:
Set the project:
gcloud config set project PROJECT_ID
List all networks in the project:
gcloud compute networks list
Confirm that default is not listed.
Remediation Steps:
Using Google Cloud Console:
Navigate to the VPC networks page at Google Cloud Console: VPC Networks
Select the default network and click Edit.
Click DELETE VPC NETWORK to remove it.
If necessary, create a new network to replace the default network.
Using Google Cloud CLI:
Delete the default network:
gcloud compute networks delete default
If required, create a new network:
gcloud compute networks create NETWORK_NAME
Prevention:
Prevent default network creation by setting up an Organization Policy:
Visit the Organization Policy for Skipping Default Network Creation.
Enable the policy to ensure no default networks are created in new projects.