Check for Legacy Networks

Risk Level: Medium (should be achieved)

Rule ID: CloudVPC-005

Ensure that your Google Cloud Platform (GCP) projects are not using legacy networks as this type of network is no longer recommended for production environments because it does not support advanced networking features. Instead, it is strongly recommended to use Virtual Private Cloud (VPC) networks for existing and future GCP projects.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Reliability

Performance
efficiency

Google Cloud legacy networks have a single global IPv4 range which cannot be divided into subnets, and a single gateway IP address for the whole network. Legacy networks do not support several Google Cloud networking features such as subnets, alias IP ranges, multiple network interfaces, Cloud NAT (Network Address Translation), Virtual Private Cloud (VPC) Peering, and private access options for GCP services. Legacy networks are not recommended for high network traffic projects and are subject to a single point of contention or failure.

Audit

To determine if legacy networks are being used within your Google Cloud Platform (GCP) projects, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the list of networks created for the selected project.

05 On the VPC networks page, check the Mode column for networks with the subnet mode set to Legacy. If one or more networks are set to Legacy mode, there are legacy networks being used within the selected Google Cloud Platform (GCP) project.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123456
cc-production-app-123123

03 Run compute networks list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and the subnet mode of each network available within the selected project:

gcloud compute networks list
  --project cc-production-app-123123
  --format="table(name)"

04 The command output should return the name(s) of the VPC network(s) created for the selected project:

NAME                    SUBNET_MODE
cc-web-stack-network    LEGACY
cc-custom-vpc-network   CUSTOM

If the compute networks list command output lists LEGACY as the SUBNET_MODE attribute value, as shown in the example above, the cloud legacy network is being used within the selected Google Cloud Platform (GCP) project.

05 Repeat step no. 3 and 4 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To convert a legacy network into a Virtual Private Cloud (VPC) network is not currently supported. To rebuild your network configuration within a custom Virtual Private Cloud (VPC) and remove the legacy network from your GCP project, create a new VPC network and migrate your cloud applications to it. To get started with the VPC network setup, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to VPC Network dashboard at https://console.cloud.google.com/networking.

04 In the navigation panel, select VPC networks to access the list of networks available for the selected project.

05 On the VPC networks page, click on the CREATE VPC NETWORK button from the dashboard top menu to initiate the VPC setup process.

06 On the Create a VPC network setup page, perform the following:

In the Name box, enter a name for your new VPC network.
(Optional) Provide a short description for the new network in the Description text box.
Under Subnets, choose Custom to manually define the VPC network subnets. The custom mode network type provides you with complete control over its subnets and IPv4 address ranges. You decide which subnets to create within Google Cloud regions that you choose by using IPv4 ranges that you specify.
In the New subnet section, provide the following configuration parameters:
- Provide a name for the new subnet in the Name box.
- Select the GCP region where you want to deploy your subnet, from the Region dropdown list.
- In the IP address range box, enter the IPv4 range for this subnet, in CIDR notation. You can use a standard private VPC network address range such as 10.0.0.0/16. This is the primary IPv4 range for this subnet.
- (Optional) To define a secondary IPv4 range for this subnet, click Create secondary IP range and provide the secondary IP range (CIDR notation) and a name for the secondary subnet range.
- For Private Google access configuration option, set whether VM instances created in this subnet can access Google Cloud services without assigning external IP addresses.
- For the Flow logs option, choose whether to enable the VPC Flow Logs feature at subnet creation or enable it later by editing the VPC subnet configuration.
- Click Done to create the custom subnet.
To create one or more VPC subnets, click on the Add subnet button and repeat step D.
For Dynamic routing mode, choose whether to use Regional or Global dynamic routing for your new VPC network. The Regional dynamic routing mode (default) uses Cloud Routers to learn routes only in the region in which they were created. If you are using an internal load balancer with a dedicated interconnect or a VPN on this network, use the Regional dynamic routing. The Global dynamic routing mode lets you dynamically learn routes to and from all GCP regions with a single VPN or dedicated interconnect, and a Cloud Router.
(Optional) Select an existing DNS server policy from the DNS server policy dropdown list or choose to create a new one. You can have only one DNS server policy for each VPC network within your Google account. The DNS server policy can specify inbound forwarding, outbound forwarding, or both.
Click Create to deploy your new Virtual Private Cloud (VPC) network.

07 Once the new VPC network is created, access the network configuration settings page, select Firewall rules tab and use the Add firewall rule button to create firewall rules that allow or deny traffic between the resources inside the network, such as communication between VM instances and database servers. You can also use network firewall rules to control what traffic leaves or enters the VPC network to and from the Internet.

08 Now it's time to migrate your cloud applications from the legacy network to the newly created Virtual Private Cloud (VPC) network.

09 Once your applications are migrated to the new Virtual Private Cloud (VPC) and the legacy network is not in use anymore, follow the security best practices and remove it from your GCP project. Before you can delete a legacy network, make sure that the network is not used by any GCP resources. On the VPC networks page, click on the name of the legacy network to access the resource configuration settings.

10 On the selected network configuration page, click DELETE VPC NETWORK to remove the legacy network from the selected GCP project. Inside Delete a network confirmation box, choose DELETE to confirm the removal action.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute networks create command (Windows/macOS/Linux) to create a new, custom Virtual Private Cloud (VPC) network within the GCP project referenced as value for the --project parameter:

gcloud compute networks create cc-new-vpc-network
  --project cc-project5-stack-123456
  --subnet-mode=custom
  --bgp-routing-mode=regional

02 The command output should return the configuration metadata available for the newly created VPC network:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123456/global/networks/cc-new-vpc-network].

NAME                  SUBNET_MODE   BGP_ROUTING_MODE    IPV4_RANGE    GATEWAY_IPV4
cc-new-vpc-network    CUSTOM        REGIONAL

Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all
internal traffic between instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network cc-new-vpc-network --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network cc-new-vpc-network --allow tcp:22,tcp:3389,icmp

03 Run compute networks subnets create command (Windows/macOS/Linux) to create a custom subnet into the VPC network created at the previous steps. The following command example creates a VPC network subnet named "cc-us-west1-subnet", in the Oregon, US (us-west1) region with the primary IP address range set to 10.0.0.0/24. Use the compute networks subnets create command to create as many VPC subnets as you need:

gcloud compute networks subnets create cc-us-west1-subnet
  --network=cc-new-vpc-network
  --range=10.0.0.0/24
  --region=us-west1

04 The command output should return the VPC subnet configuration metadata:

Created
[https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123456/regions/europe-west2/subnetworks/cc-us-west1-subnet].

NAME                  REGION      NETWORK               RANGE
cc-us-west1-subnet    us-west1    cc-new-vpc-network    10.0.0.0/24

05 Run compute firewall-rules create command (Windows/macOS/Linux) to create the necessary firewall rules for your new Virtual Private Cloud (VPC) network. Firewall rules control incoming and/or outgoing traffic to GCP resources such as VM instances. The following command example creates a firewall rule that allows inbound traffic to all the virtual machines (VMs) within the VPC network through TCP port 80 (HTTP) and TCP port 443 (HTTPS):

gcloud compute firewall-rules create allow-http-https-traffic
  --network cc-new-vpc-network
  --allow tcp:80,tcp:443
  --direction ingress
  --source-ranges 0.0.0.0/0
  --enable-logging

06 The command output should return the VPC firewall rule configuration metadata:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123456/global/firewalls/allow-https-traffic].

NAME                        NETWORK               DIRECTION   PRIORITY   ALLOW   DENY      DISABLED
allow-http-https-traffic    cc-new-vpc-network    INGRESS     1000       tcp:80,tcp:443    False

07 Now it's time to migrate your cloud applications from the legacy network to the newly created Virtual Private Cloud (VPC) network.

08 Once your applications are migrated to the new Virtual Private Cloud (VPC) and the legacy network is not in use anymore, it is safe remove it from your GCP project. Before you can delete a legacy network, make sure that the network is not used by any GCP resources. For example, run compute firewall-rules delete command (Windows/macOS/Linux) to delete a firewall rule named "allow-ssh-traffic" from the legacy network firewall:

gcloud compute firewall-rules delete allow-ssh-traffic

09 The compute firewall-rules delete command request should ask you for confirmation. Type Y to confirm the deletion. Once removed, the command output should return the ID of the deleted rule:

The following firewalls will be deleted:
  - [allow-ssh-traffic]
Do you want to continue (Y/n)? Y
Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123456/global/firewalls/allow-ssh-traffic].

10 Run compute networks delete command (Windows/macOS/Linux) to remove the specified legacy network from the selected GCP project:

gcloud compute networks delete cc-web-stack-network

11 The compute networks delete command request should ask you for confirmation. Type Y to confirm the removal action. Once the resource is deleted, the command output should return the ID of the removed network:

The following networks will be deleted:
  - [cc-web-stack-network]
Do you want to continue (Y/n)? Y

Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123456/global/networks/cc-web-stack-network].

12 Repeat steps no. 1 – 11 for each GCP project available within your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
VPC overview
VPC network overview
Using VPC networks
Legacy networks
Using legacy networks
Cloud Router documentation
Apply Cloud DNS server policies
Firewall Rules Logging overview

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute networks list
gcloud compute networks create
gcloud compute networks subnets create
gcloud compute firewall-rules create
gcloud compute firewall-rules delete
gcloud compute networks delete

Publication date May 5, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudVPC rules