Projects should only use non-default VPC networks
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
To prevent use of the default
network, a project should not have a default
network.
Default value
By default, for each project, a default
network is created.
Rationale
The default
network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
- default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
- default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
- default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
- default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.
These automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.
Furthermore, the default
network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it’s not possible to use Cloud VPN or VPC Network Peering with the default
network.
Based on organization security and networking requirements, the organization should create a new network and delete the default
network.
Impact
When an organization deletes the default
network, it may need to migrate services onto a new network.
From the console
- Go to the VPC networks page.
- Click the network named
default
. - On the network detail page, click EDIT.
- Click DELETE VPC NETWORK.
- If needed, create a new network to replace the
default
network.
From the command line
Delete the default
network:
gcloud compute networks delete default
If needed, create a new network to replace it:
gcloud compute networks create NETWORK_NAME
Prevention
You can prevent the default
network and its insecure firewall rules from being created by setting up an Organization Policy to skip default
network creation at https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation.
References
- https://cloud.google.com/compute/docs/networking#firewall_rules
- https://cloud.google.com/compute/docs/reference/latest/networks/insert
- https://cloud.google.com/compute/docs/reference/latest/networks/delete
- https://cloud.google.com/vpc/docs/firewall-rules-logging
- https://cloud.google.com/vpc/docs/vpc#default-network
- https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete