GCP - VPC & Networking

Reading time: 5 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

GCP Compute Networking in a Nutshell

VPCs contains Firewall rules to allow incoming traffic to the VPC. VPCs also contains subnetworks where virtual machines are going to be connected.
Comparing with AWS, Firewall would be the closest thing to AWS Security Groups and NACLs, but in this case these are defined in the VPC and not in each instance.

VPC, Subnetworks & Firewalls in GCP

Compute Instances are connected subnetworks which are part of VPCs (Virtual Private Clouds). In GCP there aren't security groups, there are VPC firewalls with rules defined at this network level but applied to each VM Instance.

Subnetworks

A VPC can have several subnetworks. Each subnetwork is in 1 region.

Firewalls

By default, every network has two implied firewall rules: allow outbound and deny inbound.

When a GCP project is created, a VPC called default is also created, with the following firewall rules:

  • default-allow-internal: allow all traffic from other instances on the default network
  • default-allow-ssh: allow 22 from everywhere
  • default-allow-rdp: allow 3389 from everywhere
  • default-allow-icmp: allow ping from everywhere

warning

As you can see, firewall rules tend to be more permissive for internal IP addresses. The default VPC permits all traffic between Compute Instances.

More Firewall rules can be created for the default VPC or for new VPCs. Firewall rules can be applied to instances via the following methods:

Unfortunately, there isn't a simple gcloud command to spit out all Compute Instances with open ports on the internet. You have to connect the dots between firewall rules, network tags, services accounts, and instances.

This process was automated using this python script which will export the following:

  • CSV file showing instance, public IP, allowed TCP, allowed UDP
  • nmap scan to target all instances on ports ingress allowed from the public internet (0.0.0.0/0)
  • masscan to target the full TCP range of those instances that allow ALL TCP ports from the public internet (0.0.0.0/0)

Hierarchical Firewall Policies

Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections.

You create and apply firewall policies as separate steps. You can create and apply firewall policies at the organization or folder nodes of the resource hierarchy. A firewall policy rule can block connections, allow connections, or defer firewall rule evaluation to lower-level folders or VPC firewall rules defined in VPC networks.

By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can restrict which VMs get a given rule by specifying target networks or target service accounts.

You can read here how to create a Hierarchical Firewall Policy.

Firewall Rules Evaluation

  1. Org: Firewall policies assigned to the Organization
  2. Folder: Firewall policies assigned to the Folder
  3. VPC: Firewall rules assigned to the VPC
  4. Global: Another type of firewall rules that can be assigned to VPCs
  5. Regional: Firewall rules associated with the VPC network of the VM's NIC and region of the VM.

VPC Network Peering

Allows to connect two Virtual Private Cloud (VPC) networks so that resources in each network can communicate with each other.
Peered VPC networks can be in the same project, different projects of the same organization, or different projects of different organizations.

These are the needed permissions:

  • compute.networks.addPeering
  • compute.networks.updatePeering
  • compute.networks.removePeering
  • compute.networks.listPeeringRoutes

More in the docs.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks