GCP - VPC & Networking
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
VPCs contains Firewall rules to allow incoming traffic to the VPC. VPCs also contains subnetworks where virtual machines are going to be connected. Comparing with AWS, Firewall would be the closest thing to AWS Security Groups and NACLs, but in this case these are defined in the VPC and not in each instance.
Compute Instances are connected subnetworks which are part of VPCs (Virtual Private Clouds). In GCP there aren't security groups, there are VPC firewalls with rules defined at this network level but applied to each VM Instance.
A VPC can have several subnetworks. Each subnetwork is in 1 region.
By default, every network has two implied firewall rules: allow outbound and deny inbound.
When a GCP project is created, a VPC called default
is also created, with the following firewall rules:
default-allow-internal: allow all traffic from other instances on the default
network
default-allow-ssh: allow 22 from everywhere
default-allow-rdp: allow 3389 from everywhere
default-allow-icmp: allow ping from everywhere
As you can see, firewall rules tend to be more permissive for internal IP addresses. The default VPC permits all traffic between Compute Instances.
More Firewall rules can be created for the default VPC or for new VPCs. Firewall rules can be applied to instances via the following methods:
All instances within a VPC
Unfortunately, there isn't a simple gcloud
command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.
This process was automated using this python script which will export the following:
CSV file showing instance, public IP, allowed TCP, allowed UDP
nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections.
You create and apply firewall policies as separate steps. You can create and apply firewall policies at the organization or folder nodes of the resource hierarchy. A firewall policy rule can block connections, allow connections, or defer firewall rule evaluation to lower-level folders or VPC firewall rules defined in VPC networks.
By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can restrict which VMs get a given rule by specifying target networks or target service accounts.
You can read here how to create a Hierarchical Firewall Policy.
Org: Firewall policies assigned to the Organization
Folder: Firewall policies assigned to the Folder
VPC: Firewall rules assigned to the VPC
Global: Another type of firewall rules that can be assigned to VPCs
Regional: Firewall rules associated with the VPC network of the VM's NIC and region of the VM.
Allows to connect two Virtual Private Cloud (VPC) networks so that resources in each network can communicate with each other. Peered VPC networks can be in the same project, different projects of the same organization, or different projects of different organizations.
These are the needed permissions:
compute.networks.addPeering
compute.networks.updatePeering
compute.networks.removePeering
compute.networks.listPeeringRoutes
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)