Restrict VPC Peering Usage

More Info:

Ensure that “Restrict VPC Peering Usage” policy is enforced for your GCP organizations.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using GCP CLI, please follow the below steps:

Open the Cloud Shell in your GCP Console.
Run the following command to get a list of all the VPC networks in your project:

gcloud compute networks list

Identify the VPC network that you want to update and note down its name.
Run the following command to update the VPC network to restrict VPC peering usage:

gcloud compute networks update [NETWORK_NAME] --no-enable-peerings

Replace [NETWORK_NAME] with the name of the VPC network that you want to update. This command will disable VPC peering for the specified network.

Verify that VPC peering is disabled for the network by running the following command:

gcloud compute networks describe [NETWORK_NAME] | grep peerings

If the output of the above command shows “peerings: []”, it means VPC peering is disabled for the network.

By following these steps, you can remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration of “Restrict VPC Peering Usage” in GCP using Python, you can follow the below steps:

First, you need to get the list of all the VPC networks in your GCP project using the list method of the compute client.

from google.cloud import compute_v1

def get_vpc_networks(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    networks = []
    for network in compute_client.networks().list(project=project_id, zone=zone).execute()['items']:
        networks.append(network['name'])
    return networks

Next, you need to get the list of all the peering connections in your project using the list method of the compute client.

def get_peering_connections(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    peering_connections = []
    for peering_connection in compute_client.global_operations().list(project=project_id, filter='operationType=peering.networks.patch').execute()['items']:
        peering_connections.append(peering_connection['targetLink'].split('/')[-1])
    return peering_connections

Once you have the list of VPC networks and peering connections, you can iterate through each peering connection and check if it is using the restricted VPC network.

def restrict_vpc_peering_usage(project_id):
    compute_client = compute_v1.ComputeClient()
    zone = 'us-central1-a'
    restricted_network = 'restricted-vpc'
    peering_connections = get_peering_connections(project_id)
    for peering_connection in peering_connections:
        peering_network = compute_client.networks().get(project=project_id, network=peering_connection).execute()
        if peering_network['name'] == restricted_network:
            patch_request_body = {
                "networkPeering": {
                    "state": "DISABLED"
                }
            }
            compute_client.networks().patch(project=project_id, network=peering_connection, body=patch_request_body).execute()

In the above code, we are checking if the peering connection is using the restricted VPC network. If it is, we are disabling the peering connection using the patch method of the compute client.
You can call the restrict_vpc_peering_usage function with your GCP project ID to remediate the misconfiguration.

Note: Make sure to authenticate your python script with appropriate GCP credentials before running the above code.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Restrict VPC Peering Usage

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation