Ensure that the VPC networks that are allowed to be peered with the networks created for your project, folder, or organization, are defined using the "Restrict VPC Peering Usage" constraint policy. This constraint helps you achieve regulatory compliance by explicitly defining the resource name of each Virtual Private Cloud (VPC) network allowed for VPC peering, i.e. projects/<project-id>/global/networks/<vpc-network-name>. You can also define the list of allowed networks using the following format: under:organizations/<organization-id>, under:folders/<folder-id>, under:projects/<project-id>. The list of allowed networks must be configured in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.
VPC network peering allows private connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same Google Cloud project, folder, or organization. VPC peering enables you to peer VPC networks so that workloads in different networks can communicate in private RFC 1918 space. By default, anyone with the right set of permissions can peer your VPC network with any other network within your organization and this can pose a major security risk if the process is not managed correctly (e.g. when peering development and production networks) or if someone peers your VPC network with a malicious entity. With "Restrict VPC Peering Usage" constraint policy, you have the ability to define the VPC networks that are allowed to be peered with other networks within your project, folder, or organization, in order to enhance access security and comply with internal regulations.
Note: To avoid breaking existing cloud infrastructure, you should test this constraint policy on non-production projects and folders within your organization. For example, when not used properly, this constraint can prevent the creation of a GKE private cluster when there is no existing VPC network peering connection to the GKE master`s VPC network.
To determine if VPC peering restriction is enabled within your GCP organizations, perform the following actions:
Remediation / Resolution
To implement Virtual Private Cloud (VPC) peering restriction at the GCP organization level, enable and configure the "Restrict VPC Peering Usage" policy by performing the following actions:
- Google Cloud Platform (GCP) Documentation
- Resource Manager
- Organization policy constraints
- Creating and managing organization policies
- GCP Command Line Interface (CLI) Documentation
- gcloud organizations list
- gcloud alpha resource-manager org-policies describe
- gcloud beta resource-manager org-policies set-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
Restrict VPC Peering Usage
Risk level: Medium