<  Back to rules search

The default network does not exist in a project


To prevent use of the default network, a project should not have a default network.

Default value

By default, for each project, a default network is created.


The default network has a preconfigured network configuration and automatically generates the following insecure firewall rules:

  • default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
  • default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
  • default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
  • default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.

These automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.

Furthermore, the default network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it’s not possible to use Cloud VPN or VPC Network Peering with the default network.

Based on organization security and networking requirements, the organization should create a new network and delete the default network.


When an organization deletes the default network, it may need to migrate services onto a new network.


From the console

  1. Go to the VPC networks page.
  2. Click the network named default.
  3. On the network detail page, click EDIT.
  5. If needed, create a new network to replace the default network.

From the command line

  1. Delete the default network:

    gcloud compute networks delete default
  2. If needed, create a new network to replace it:

    gcloud compute networks create NETWORK_NAME


You can prevent the default network and its insecure firewall rules from being created by setting up an Organization Policy to skip default network creation at https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation.


  1. https://cloud.google.com/compute/docs/networking#firewall_rules
  2. https://cloud.google.com/compute/docs/reference/latest/networks/insert
  3. https://cloud.google.com/compute/docs/reference/latest/networks/delete
  4. https://cloud.google.com/vpc/docs/firewall-rules-logging
  5. https://cloud.google.com/vpc/docs/vpc#default-network
  6. https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete