Profile Applicability:

Level 1

Description:

Legacy networks are deprecated and no longer supported for new projects in Google Cloud. This recommendation ensures that older projects do not utilize legacy networks, which lack modern features such as subnetting and are globally scoped.

Rationale:

Legacy networks have the following limitations:

  • They use a single global IPv4 prefix range and gateway IP address.

  • They cannot be divided into subnetworks, leading to reduced scalability and flexibility.

  • Legacy networks span all cloud regions, introducing a single point of contention or failure.

  • They are unsuitable for high network traffic projects, lacking modern network controls available in auto or custom subnet networks.
    Ensuring legacy networks are not in use helps improve scalability, performance, and security while adhering to modern networking standards.

Impact:

Legacy networks are gradually being phased out. Ensuring their absence eliminates potential risks associated with outdated configurations.

Default Value:

By default, networks are not created in legacy mode in new projects.

Audit Steps:

Using Google Cloud CLI:

Set the project name in the Google Cloud Shell:

gcloud config set project <PROJECT_ID>

List the networks configured in the project:

gcloud compute networks list
  1. Review the MODE column in the output. None of the listed networks should have the mode set to LEGACY.

Remediation Steps:

Using Google Cloud CLI:

Create a new non-legacy network: (Follow the documentation to create a network in auto or custom mode:)

gcloud compute networks create <NETWORK_NAME> --subnet-mode=custom

Delete the legacy network: (Follow the documentation to delete any legacy networks:)

gcloud compute networks delete <LEGACY_NETWORK_NAME>

  1. Migrate resources:
    Before deleting legacy networks, migrate all resources (e.g., VMs, routes, firewall rules) to the newly created network.

References:

  1. Google Cloud: Legacy Networks Overview

  2. Google Cloud: Deleting Legacy Networks

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

4.2 Establish and Maintain Secure Configuration

Maintain secure configurations for network devices, reviewing and updating them annually or upon significant changes.

11.1 Maintain Standard Security Configurations

Document and maintain standard security configurations for all authorized network devices.