Virtual Private Cloud (VPC)

Network access

To protect resources inside a VPC, Google supports VPC firewall rules – a stateful mechanism for protecting access to resources. You need to configure either inbound and outbound rules, and for each rule, you can configure either an action of allow or deny.

Best practices

  • Create subnets according to the resource function (for example, public subnets for web servers, private subnets for database servers, and so on).

  • For remote access protocols (SSH/RDP), limit the source IP address (or CIDR) to well-known sources.

  • For file sharing protocols (CIFS/SMB/FTP), limit the source IP address (or CIDR) to well-known sources.

  • Use VPC firewall rules to control access between public resources (such as load balancers or publicly facing web servers) and private resources (such as databases) and limit the access to the minimum required ports/protocols.

  • Set names and descriptions for VPC firewall rules to allow a better understanding of any firewall rule’s purpose.

  • Use tagging (also known as labeling) for VPC firewall rules to allow a better understanding of which VPC firewall rule belongs to which VPC resources.

  • Use network tags to configure rules to groups of resources (such as a group of compute engine instances) instead of using IP addresses.

  • To allow outbound access from internal resources inside private subnets to destinations on the internet, use a Cloud NAT gateway.

  • For large-scale environments with multiple Google Cloud VPC projects, use VPC Service Controls to enforce access restrictions over your VPC resources, based on the identity of the IP address.

Monitoring

Google allows for monitoring Google Cloud VPC using Google Cloud Logging and VPC Flow Logs.

Best practices

  • Enable VPC audit logs to monitor your VPC components’ activity and the traffic between your VPC resources.

  • Note that admin activity audit logs are enabled by default and cannot be disabled.

  • Explicitly enable data access audit logs to log activities in your Google Cloud VPC.

  • Limit access to audit logs to the minimum number of employees (to avoid unwanted changes to the audit logs).

  • Enable Firewall Rules Logging to audit the functionality of your VPC firewall rules.

  • Enable VPC Flow Logs to log and further analyze allowed and denied traffic activity.

  • In case you need to troubleshoot network issues by capturing network traffic, use Packet Mirroring to copy live network traffic from a compute engine VM instance to an instance group behind an internal load balancer.

For large-scale production environments, enable VPC Flow Logs only for short periods of time, for troubleshooting purposes only (due to the high storage cost and large amounts of data generated by VPC Flow Logs).

For large-scale production environments, enable Packet Mirroring only for short periods of time, for troubleshooting purposes only (due to high performance impact on the target VM).