More Info:

Ensure that “Skip Default Network Creation” constraint policy is enforced for your Google Cloud Platform (GCP) organizations in order to follow security best practices and meet networking requirements. Once enabled, this constraint skips the creation of the default Virtual Private Cloud (VPC) network and related resources during Google Cloud project creation.

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CBP

Remediation

Using Console

To remediate the misconfiguration “Skip Default VPC Network Creation” in GCP using the GCP console, follow the below steps:

  1. Open the GCP console and navigate to the VPC networks page.
  2. Click on the “Create VPC network” button.
  3. In the “Name” field, enter a name for the VPC network.
  4. In the “IPv4 CIDR block” field, enter the CIDR block for the VPC network. For example, you can use the CIDR block 10.0.0.0/16.
  5. Under the “Subnets” section, click on the “Add subnet” button.
  6. In the “Name” field, enter a name for the subnet.
  7. In the “Region” field, select the region where you want to create the subnet.
  8. In the “IP address range” field, enter the IP address range for the subnet. For example, you can use the IP address range 10.0.0.0/24.
  9. Click on the “Create” button to create the VPC network and the subnet.

By following the above steps, you have successfully remediated the misconfiguration “Skip Default VPC Network Creation” in GCP using the GCP console.

Using CLI

To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI, follow these steps:

  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to list all the existing VPC networks in your project:
gcloud compute networks list
  1. If you do not have any custom VPC network created, you can create a new one using the following command:
gcloud compute networks create <network-name> --subnet-mode=auto

Note: Replace <network-name> with a name of your choice.

  1. If you have an existing custom VPC network, you can use that instead of creating a new one.

  2. Once the custom VPC network is created, you can create subnets in it using the following command:

gcloud compute networks subnets create <subnet-name> --network=<network-name> --region=<region>

Note: Replace <subnet-name> with a name of your choice, <network-name> with the name of the custom VPC network created in step 3 or 4, and <region> with the region where you want to create the subnet.

  1. You can repeat step 5 to create multiple subnets in the custom VPC network.

  2. Once the subnets are created, you can launch your instances in the custom VPC network and the subnets created in it.

By following these steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python, you can follow the below steps:

  1. First, you need to create a new VPC network in GCP. You can use the following Python code to create a new VPC network:
from google.cloud import compute_v1

def create_vpc_network(project_id, network_name, subnet_name, region):
    """
    This function creates a new VPC network and subnet in the specified region.
    """
    client = compute_v1.NetworksClient()
    subnet_client = compute_v1.SubnetworksClient()

    # Build the network object
    network = {
        "name": network_name,
        "auto_create_subnetworks": False,
    }

    # Create the network
    operation = client.insert(project=project_id, body=network)
    operation.wait()

    # Build the subnet object
    subnet = {
        "name": subnet_name,
        "ip_cidr_range": "10.0.0.0/24",
        "region": region,
        "network": f"projects/{project_id}/global/networks/{network_name}",
    }

    # Create the subnet
    subnet_operation = subnet_client.insert(project=project_id, region=region, body=subnet)
    subnet_operation.wait()

    print(f"Created VPC network '{network_name}' and subnet '{subnet_name}' in region '{region}'.")
  1. Once you have created the new VPC network, you can modify your GCP project to use this new network as the default VPC network. You can use the following Python code to modify the project:
from google.cloud import compute_v1

def set_default_network(project_id, network_name):
    """
    This function sets the specified VPC network as the default network for the project.
    """
    client = compute_v1.ProjectsClient()

    # Build the project object
    project = {
        "name": f"projects/{project_id}",
        "defaultNetworkTier": "PREMIUM",
        "autoCreateNetwork": False,
        "network": f"projects/{project_id}/global/networks/{network_name}",
    }

    # Update the project
    operation = client.update(project=project["name"], body=project)
    operation.wait()

    print(f"Set VPC network '{network_name}' as the default network for project '{project_id}'.")
  1. Finally, you can call the above two functions to create a new VPC network and set it as the default network for your GCP project. You can use the following Python code to do this:
project_id = "your-project-id"
network_name = "your-network-name"
subnet_name = "your-subnet-name"
region = "your-region"

create_vpc_network(project_id, network_name, subnet_name, region)
set_default_network(project_id, network_name)

By following the above steps, you can remediate the “Skip Default VPC Network Creation” misconfiguration in GCP using Python.