GCP - VPC & Networking
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
GCP Compute Networking in a Nutshell
VPCs contains Firewall rules to allow incoming traffic to the VPC. VPCs also contains subnetworks where virtual machines are going to be connected.
Comparing with AWS, Firewall would be the closest thing to AWS Security Groups and NACLs, but in this case these are defined in the VPC and not in each instance.
VPC, Subnetworks & Firewalls in GCP
Compute Instances are connected subnetworks which are part of VPCs (Virtual Private Clouds). In GCP there aren't security groups, there are VPC firewalls with rules defined at this network level but applied to each VM Instance.
Subnetworks
A VPC can have several subnetworks. Each subnetwork is in 1 region.
Firewalls
By default, every network has two implied firewall rules: allow outbound and deny inbound.
When a GCP project is created, a VPC called default
is also created, with the following firewall rules:
- default-allow-internal: allow all traffic from other instances on the
default
network - default-allow-ssh: allow 22 from everywhere
- default-allow-rdp: allow 3389 from everywhere
- default-allow-icmp: allow ping from everywhere
warning
As you can see, firewall rules tend to be more permissive for internal IP addresses. The default VPC permits all traffic between Compute Instances.
More Firewall rules can be created for the default VPC or for new VPCs. Firewall rules can be applied to instances via the following methods:
- Network tags
- Service accounts
- All instances within a VPC
Unfortunately, there isn't a simple gcloud
command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.
This process was automated using this python script which will export the following:
- CSV file showing instance, public IP, allowed TCP, allowed UDP
- nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
- masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)
Hierarchical Firewall Policies
Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections.
You create and apply firewall policies as separate steps. You can create and apply firewall policies at the organization or folder nodes of the resource hierarchy. A firewall policy rule can block connections, allow connections, or defer firewall rule evaluation to lower-level folders or VPC firewall rules defined in VPC networks.
By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can restrict which VMs get a given rule by specifying target networks or target service accounts.
You can read here how to create a Hierarchical Firewall Policy.
Firewall Rules Evaluation
- Org: Firewall policies assigned to the Organization
- Folder: Firewall policies assigned to the Folder
- VPC: Firewall rules assigned to the VPC
- Global: Another type of firewall rules that can be assigned to VPCs
- Regional: Firewall rules associated with the VPC network of the VM's NIC and region of the VM.
VPC Network Peering
Allows to connect two Virtual Private Cloud (VPC) networks so that resources in each network can communicate with each other.
Peered VPC networks can be in the same project, different projects of the same organization, or different projects of different organizations.
These are the needed permissions:
compute.networks.addPeering
compute.networks.updatePeering
compute.networks.removePeering
compute.networks.listPeeringRoutes
References
- https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/
- https://cloud.google.com/vpc/docs/firewall-policies-overview#rule-evaluation
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.