VPC networking and firewall
Networking in GCP differs from AWS and Azure in one important trait: the VPC is global, and subnets are regional. Understanding this model and the firewall rules is crucial for security — and these are the configurations ZEUS checks for exposure.
VPC — global, subnets regional
In GCP a single VPC network spans all regions. Subnets are assigned to regions and have their own CIDR ranges. Resources in different regions within the same VPC communicate privately without peering.
# VPC w trybie custom (zalecane — pełna kontrola nad podsieciami)
gcloud compute networks create vpc-zeus --subnet-mode=custom
# Podsieć w regionie europe-central2
gcloud compute networks subnets create snet-app \
--network=vpc-zeus --region=europe-central2 \
--range=10.0.1.0/24
Tip: always use custom mode, not
auto. Auto mode creates subnets in all regions with predefined ranges — that is an excessive attack surface, which ZEUS flags as a finding.
Firewall rules
The firewall in GCP operates at the VPC network level and is stateful. Rules have a priority (0-65535, lower wins), a direction, an action (allow/deny) and target selectors — most often via network tags or service accounts.
# Zezwól na HTTPS z internetu do VM z tagiem 'web'
gcloud compute firewall-rules create allow-https \
--network=vpc-zeus --direction=INGRESS --action=ALLOW \
--rules=tcp:443 --source-ranges=0.0.0.0/0 \
--target-tags=web
# Zezwól na SSH TYLKO z zakresu IAP (nie z całego internetu!)
gcloud compute firewall-rules create allow-ssh-iap \
--network=vpc-zeus --direction=INGRESS --action=ALLOW \
--rules=tcp:22 --source-ranges=35.235.240.0/20
| Rule element | Example |
|---|---|
| priority | 1000 |
| direction | INGRESS / EGRESS |
| action | ALLOW / DENY |
| target | network tags / service accounts |
| source | CIDR ranges / tags |
The most common critical finding: a rule with --source-ranges=0.0.0.0/0 on
port 22 or 3389. Restrict administrative access to the IAP range
(35.235.240.0/20) or to known addresses.
Private Google Access and private services
Private Google Access lets a VM without a public IP use Google services (Storage, BigQuery) privately. Private Service Connect provides a private endpoint to services — the equivalent of Private Link/VPC Endpoint.
How ZEUS sees it
Through Cloud Asset Inventory and the Compute API, ZEUS reads the entire topology: VPC networks, subnets, all firewall rules and the Private Google Access configuration. On that basis it flags publicly exposed resources and dangerously open management ports — this data feeds the security posture view alongside the equivalents from Azure and AWS.
In the next lesson: Security Command Center and Workload Identity.