Without a VPC network you cannot create VM instances, containers or App Engine applications

Question

Error: Default network exists in a project

Nội dung chính Show

Configuring authorization for Google Cloud Platform
Google Compute Engine objects
Can we create virtual machines without creating virtual networks?
Which of the following is not a service provided by VPC network?
Which of the following is supported by VPC networks?
Which statement is true about Google VPC network and subnets?

Bridgecrew Policy ID: BC_GCP_NETWORKING_7
Checkov Check ID: CKV_GCP_27
Severity: MEDIUM

The default network has a pre-configured network configuration and automatically generates the following insecure firewall rules:

default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.
default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.
default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.
default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in
the network.

These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging. In addition, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it is not possible to use Cloud VPN or VPC Network Peering with the default network.

We recommend that a project should not have a default network to prevent use of default network. Based on organization security and networking requirements, the organization should create a new network and delete the default network.

To change the policy using the GCP Console, follow these steps:

Log in to the GCP Console at https://console.cloud.google.com.
Navigate to VPC networks.
Click the network named default.
On the network detail page, click EDIT.
Click DELETE VPC NETWORK.
If needed, create a new network to replace the default network.

For each Google Cloud Platform project:

Delete the default network:
gcloud compute networks delete default
If needed, create a new network to replace it:
gcloud compute networks create <network name>

Resource: google_project
Argument: auto_create_network

resource "google_project" "my_project" {
  name       = "My Project"
  project_id = "your-project-id"
  org_id     = "1234567"
+ auto_create_network   = false
}

Updated 3 days ago

Table of Contents
- Default network exists in a project
- Description
- Fix - Runtime
  - GCP Console
  - CLI Command
- Fix - Buildtime
  - Terraform

Configuring authorization for Google Cloud Platform

Roles

Configuring GCP for OpenShift Container Platform requires the following GCP role:

roles/owner

Needed for creating service accounts, cloud storage, instances, images, templates, Cloud DNS entries, and to deploy load balancers and health checks.

delete permissions might also be required if the user is expected to redeploy the environment during testing phases.

You can also create a service account to avoid using personal users when deploying GCP objects.

Scopes and service accounts

GCP uses scopes to determine if an authenticated identity is authorized to perform operations within a resource. For example, if application A with a read-only scope access token can only read, while application B with a read-write scope access token can read and modify data.

You can specify scopes using the --scopes=[SCOPE,…] option when creating instances, or you can use the --no-scopes option to create the instance without scopes if you don’t want the instance accessing the GCP API.

By default, a newly created instance is automatically enabled to run as the default service account with the following access scopes:

https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/pubsub
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append
https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/compute.readonly
https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/datastore
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/sqlservice.admin
https://www.googleapis.com/auth/devstorage.full_control
https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/devstorage.read_write
https://www.googleapis.com/auth/taskqueue
https://www.googleapis.com/auth/userinfo.email

You can specify another service account with the --service-account=SERVICE_ACCOUNT option when creating the instance, or explicitly disabling service accounts for the instance using the --no-service-account option using the gcloud CLI.

Google Compute Engine objects

Integrating OpenShift Container Platform with Google Compute Engine (GCE) requires the following components or services.

A GCP project

A GCP project is the base level organizing entity that forms the basis for creating, enabling, and using all GCP services. This includes managing APIs, enabling billing, adding and removing collaborators, and managing permissions.

Project IDs are unique identifiers, and project IDs must be unique across all of Google Cloud Engine. This means you cannot use myproject as a project ID if someone else has created a project with that ID before.

Billing

You cannot create new resources unless billing is attached to an account. The new project can be linked to an existing project or new information can be entered.

Cloud identity and access management

Deploying OpenShift Container Platform requires the proper permissions. A user must be able to create service accounts, cloud storage, instances, images, templates, Cloud DNS entries, and deploy load balancers and health checks. Delete permissions are also helpful in order to be able to redeploy the environment while testing.

You can create service accounts with specific permissions, then use them to deploy infrastructure components instead of regular users. You can also create roles to limit access to different users or service accounts.

GCP instances use service accounts to allow applications to call GCP APIs. For example, OpenShift Container Platform node hosts can call the GCP disk API to provide a persistent volume to an application.

SSH keys

GCP injects SSH public keys as authorized keys so you can log in using SSH in the created instances. You can configure the SSH keys per instance or per project.

You can use existing SSH keys. GCP metadata can help with storing the SSH keys that are injected at boot time in the instances to allow SSH access.

GCP regions and zones

GCP has a global infrastructure that covers regions and availability zones. While deploying OpenShift Container Platform in GCP on different zones can help avoid single-point-of-failures, there are some caveats regarding storage.

GCP disks are created within a zone. Therefore, if a OpenShift Container Platform node host goes down in zone "A" and the pods move to zone "B", the persistent storage cannot be attached to those pods because the disks are in a different zone.

Deploying a single zone of multizone OpenShift Container Platform environment is an important decision to make before installing OpenShift Container Platform. If deploying a multizone environment, the recommended setup is to use three different zones in a single region.

External IP address

So that GCP instances can communicate with the Internet, you must attach an external IP address to the instance. Also, an external IP address is required to communicate with instances deployed in GCP from outside the Virtual Private Cloud (VPC) Network.

Cloud DNS

GCP cloud DNS is a DNS service used to publish domain names to the global DNS using GCP DNS servers.

The public cloud DNS zone requires a domain name that you purchased either through Google’s "Domains" service or through a third-party provider. When you create the zone, you must add the name servers provided by Google to the registrar.

GCP VPC networks have an internal DNS service that automatically resolves internal host names.

The internal fully qualified domain name (FQDN) for an instance follows the [HOST_NAME].c.[PROJECT_ID].internal format.

Load balancing

The GCP load balancing service enables the distribution of traffic across multiple instances in the GCP cloud.

There are five types of Load Balancing:

Internal
Network load balancing
HTTP(S) load balancing
SSL Proxy load balancing
TCP Proxy load balancing

HTTPS and TCP proxy load balancing are the only options for using HTTPS health checks for master nodes, which checks the status of /healthz.

Because HTTPS load balancing requires a custom certificate, this implementation uses TCP Proxy load balancing to simplify the process.

Instances sizes

A successful OpenShift Container Platform environment requires some minimum hardware requirements:

Table 1. Instances sizes

Role	Size
Master	`n1-standard-8`
Node	`n1-standard-4`

Storage Options

By default, each GCP instance has a small root persistent disk that contains the operating system. When applications running on the instance require more storage space, you can add additional storage options to the instance:

Standard persistent disks
SSD persistent disks
Local SSDs
Cloud storage buckets

Can we create virtual machines without creating virtual networks?

A VNet is used to provide the VM with DHCP and Security Group services. A VM would be unable to obtain an IP address without it. In the same manner that a V1Vm could not be created without a cloud service, an Azure VM cannot be created without a vnet.

Which of the following is not a service provided by VPC network?

VPC networks do not support broadcast or multicast addresses within the network. For more information about IPv6 subnet ranges, see Subnets.

Which of the following is supported by VPC networks?

VPN Connection are connectivity option for VPC. All the mentioned connections type supports certain types of VPN connections such as software VPN, AWS Managed VPN, etc.

Which statement is true about Google VPC network and subnets?

Which statement is true about Google VPC networks and subnets? An application running in a Compute Engine virtual machine needs high-performance scratch space.

App Engine VPC