Google Cloud Platform Security Checklist : Part 3/7 — Network Security
In this third article of our Google Cloud Platform (GCP) security best practices series, we will discuss the importance of network security and provide recommendations to help you secure your GCP infrastructure. By implementing these best practices, you can ensure that your network remains protected against potential threats and vulnerabilities.
Best Practices Checklist
1. Use Hub and Spoke Design for Network
Adopt a hub and spoke architecture with centralized VPCs (hubs) and dedicated VPCs (spokes) for different workloads. This design enables better control over east-west (between spokes) and north-south (between the hub and the internet) traffic. By using a centralized VPC for shared services, you can effectively manage firewall rules, routing policies, and access controls across your organization.
2. Establish a Shared VPC for Each Environment Category and Security level
Organize your Google Cloud resources into Shared VPCs based on environment types (e.g., development, staging, production) and security levels (e.g, low, medium). This promotes a clear separation of workloads, prevents unintended exposure or data leakage between environments, and enables more effective access control and network policies. For high-security workloads, consider creating a dedicated (non-shared) VPC to ensure an even greater level of protection.
3. Delete Default Networks
Instead of using the default network, which allocates a large IP range and comes with pre-configured firewall rules that open common ports, create a custom network tailored to your organization’s needs. By creating new networks with appropriate regions, IP address ranges, and firewall rules, you can minimize security risks. Delete default networks to prevent accidental use and ensure that your Google Cloud resources are placed on the custom network.
Detection Policy: Here’s a Cloud Custodian policy to identify if the default network is present:
policies:
- name: detect-default-network
resource: gcp.vpc
filters:
- type: value
key: name
op: eq
value: default4. Isolate Bastion Hosts
Segregate bastion hosts into separate subnets or projects to limit their exposure and minimize the risk of unauthorized access to internal resources.
5. Use Identity-Aware Proxy (IAP) and OS Login for Bastion Hosts
Leveraging Identity-Aware Proxy (IAP) and OS Login for bastion hosts ensures a secure and centrally managed authentication mechanism for accessing these critical servers. IAP provides context-aware access control, while OS Login allows you to manage SSH access to your instances using IAM roles.
6. Enable VPC Service Controls
Leverage VPC Service Controls to define a security perimeter around Google Cloud resources like Cloud Storage Buckets, Bigtable instances, and BigQuery datasets. This helps constrain data within a VPC and mitigate data exfiltration risks.
7. Enable Private Google Access
Enable Private Google Access on all subnets that require access to Google APIs, ensuring that VMs can access Google Cloud services without public IPs or NAT. Implement Restricted VIPs (199.36.153.4/30) in conjunction with VPC Service Controls to mitigate data exfiltration risks, limit access to only those Google APIs and services that support VPC Service Controls, and disallow access to other Google APIs and services.
Detection Policy: A Cloud Custodian policy to identify subnets with Private Google Access disabled:
policies:
- name: detect-subnets-private-google-access-disabled
resource: gcp.subnet
filters:
- type: value
key: privateIpGoogleAccess
op: eq
value: false8. Use Web Proxy for Internet Egress Traffic
To reduce the attack surface, use Compute Engine instances with only private IPs and leverage Secure Web Proxy for acessing internet. A web proxy acts as an intermediary between users and the internet, providing anonymity and safety. It does so by monitoring and managing network traffic, mitigating threats, enforcing company policies, and even enhancing performance through caching.
9. Use Static Reserved Public IPs
Public IPs can be used for access control when communicating with third party services throw internet. To prevent released ephemeral public IPs from being used by another Google Cloud customer, ensure that all required external public IP addresses are statically reserved. This reduces the risk of exposing your instances to unauthorized access.
Detection Policy: Cloud Custodian policy for detecting ephemeral public IPs.
policies:
- name: detect-ephemeral-public-ips
resource: gcp.address
filters:
- type: value
key: addressType
op: eq
value: EPHEMERAL10. Use Allow List for Internet Egress
Create a default deny firewall rule for all egress traffic to mitigate data exfiltration risks. This rule should block all outbound traffic for all protocols and ports. You can then create higher-priority firewall rules for specific workloads to open required ports and protocols, preventing unnecessary exposure.
Detection Policy: Cloud Custodian policy for detecting deny all ergress firewall rule.
policies:
- name: detect-deny-egress-firewall-rule
resource: gcp.firewall
filters:
- type: value
key: direction
op: eq
value: EGRESS
- type: value
key: destinationRanges
op: contains
value: 0.0.0.0/0
- type: value
key: denied[*].IPProtocol
op: intersct
value: ["tcp"]11. Use Service Account-Based Firewall Rules “when possible”
Implement service account based firewall rules to open ports for communication between Google Cloud resources on the Google Cloud network. This provides more granularity than CIDR-based firewall rules and reduces the risk of unauthorized access due to misconfigured firewall rules. However, for large organizations, managing a considerable number of these rules may become challenging, as the sheer volume can make it difficult to oversee effectively.
12. Enable VPC Flow and Firewall Logs for Critical Workloads
For networks with high sensitivity data, enable VPC Flow Logs and Firewall Logs to ensure the ability to conduct forensics in case of an incident. These logs provide information on IP traffic, incoming and outgoing network flows, network forensics, and real-time security analysis.
13. Global Load Balancer and Cloud Armor for DDoS Mitigation
Use Global HTTPS Load Balancer to protect your internet-facing applications and services from Layer 4 (L4) and Layer 3 (L3) infrastructure DDoS attacks. Implement Google Cloud Armor security policies to protect your load-balanced services from DDoS and Layer 7 (L7) attacks, including SQL injection and XSS attacks.
14. Use Strict SSL Policies for Load Balancer
Configure your Load Balancer to use strict SSL policies to enhance the security of your environment. Avoid using the COMPATIBLE SSL Load Balancer policy, which allows a broader set of clients, including those with out-of-date SSL features.
Conclusion
By understanding and implementing these network security best practices and recommendations in your GCP infrastructure, you can significantly reduce the attack surface and protect your resources from potential threats. Remember that network security is just one aspect of a comprehensive GCP security strategy, and it is essential to maintain a holistic approach to secure your infrastructure effectively. Stay tuned for the upcoming articles in this series, where we will discuss other critical aspects of GCP security.
Proofreader
Originally published at https://hassene.belgacem.io .
