More Info:

Ensure that “Restrict VPC Peering Usage” policy is enforced for your GCP organizations.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration of not restricting VPC Peering Usage in GCP using GCP Console, follow these steps:

  1. Open the GCP Console and navigate to the VPC Network page.

  2. Select the VPC network that needs to be remediated.

  3. Click on the “Edit” button at the top of the page.

  4. Scroll down to the “VPC Network Peering” section and click on “Edit”.

  5. In the “Peering” tab, select the peering connection that needs to be restricted.

  6. In the “Details” section, click on the “Edit” button.

  7. In the “Restrict VPC network peering” section, select the “Only allow peering from the following VPC networks” option.

  8. Select the VPC networks that are allowed to peer with this VPC network.

  9. Click on the “Save” button to apply the changes.

  10. Repeat the above steps for all the VPC networks that need to be remediated.

Once you have completed these steps, VPC Peering Usage will be restricted to only the allowed VPC networks.

Using CLI

To remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using GCP CLI, please follow the below steps:

  1. Open the Cloud Shell in your GCP Console.
  2. Run the following command to get a list of all the VPC networks in your project:
gcloud compute networks list
  1. Identify the VPC network that you want to update and note down its name.
  2. Run the following command to update the VPC network to restrict VPC peering usage:
gcloud compute networks update [NETWORK_NAME] --no-enable-peerings

Replace [NETWORK_NAME] with the name of the VPC network that you want to update. This command will disable VPC peering for the specified network.

  1. Verify that VPC peering is disabled for the network by running the following command:
gcloud compute networks describe [NETWORK_NAME] | grep peerings
  1. If the output of the above command shows “peerings: []”, it means VPC peering is disabled for the network.

By following these steps, you can remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using Python, you can follow the below steps:

  1. First, you need to get the list of all the VPC networks in your GCP project using the list method of the compute client.
from google.cloud import compute_v1

def get_vpc_networks(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    networks = []
    for network in compute_client.networks().list(project=project_id, zone=zone).execute()['items']:
        networks.append(network['name'])
    return networks
  1. Next, you need to get the list of all the peering connections in your project using the list method of the compute client.
def get_peering_connections(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    peering_connections = []
    for peering_connection in compute_client.global_operations().list(project=project_id, filter='operationType=peering.networks.patch').execute()['items']:
        peering_connections.append(peering_connection['targetLink'].split('/')[-1])
    return peering_connections
  1. Once you have the list of VPC networks and peering connections, you can iterate through each peering connection and check if it is using the restricted VPC network.
def restrict_vpc_peering_usage(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    restricted_network = 'restricted-vpc'
    peering_connections = get_peering_connections(project_id)
    for peering_connection in peering_connections:
        peering_network = compute_client.networks().get(project=project_id, network=peering_connection).execute()
        if peering_network['name'] == restricted_network:
            patch_request_body = {
                "networkPeering": {
                    "state": "DISABLED"
                }
            }
            compute_client.networks().patch(project=project_id, network=peering_connection, body=patch_request_body).execute()

  1. In the above code, we are checking if the peering connection is using the restricted VPC network. If it is, we are disabling the peering connection using the patch method of the compute client.

  2. You can call the restrict_vpc_peering_usage function with your GCP project ID to remediate the misconfiguration.

Note: Make sure to authenticate your python script with appropriate GCP credentials before running the above code.