Stay organized with collections
Save and categorize content based on your preferences.
This page describes the preventative and detective policies that are included in
the v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)
networking, essentials. This posture includes two policy sets:
A policy set that includes organization policy constraints that apply to
VPC networking.
A policy set that includes Security Health Analytics detectors that apply to
VPC networking.
You can use this predefined posture to configure a security posture that helps
protect VPC networking. You can deploy this predefined posture
without making any changes.
Organization policy constraints
The following table describes the organization policy constraints that are
included in this posture.
Policy
Description
Compliance standard
compute.skipDefaultNetworkCreation
This boolean constraint disables the automatic creation of a default
VPC network and default firewall rules in each new project, ensuring that
network and firewall rules are intentionally created.
The value is
true to avoid creating the default VPC network.
NIST SP 800-53 control: SC-7 and SC-8
ainotebooks.restrictPublicIp
This boolean constraint restricts public IP access to newly created
Vertex AI Workbench notebooks and instances. By default, public IP
addresses can access Vertex AI Workbench notebooks and instances.
The value is true to restrict public IP access on new
Vertex AI Workbench notebooks and instances.
NIST SP 800-53 control: SC-7 and SC-8
compute.disableNestedVirtualization
This boolean constraint disables nested virtualization for all
Compute Engine VMs to decrease the security risk related to unmonitored
nested instances.
The value is true to turn off VM nested
virtualization.
NIST SP 800-53 control: SC-7 and SC-8
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in
the predefined posture. For more information about these detectors, see
Vulnerability findings.
Detector name
Description
FIREWALL_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
NETWORK_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
ROUTE_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
DNS_LOGGING_DISABLED
This detector checks whether DNS logging is enabled on the VPC network.
FLOW_LOGS_DISABLED
This detector checks whether flow logs are enabled on the VPC subnetwork.
View the posture template
To view the posture template for VPC networking, essentials, do the following:
gcloud
Before using any of the command data below,
make the following replacements:
ORGANIZATION_ID: the numeric ID of the organization
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nThis page describes the preventative and detective policies that are included in\nthe v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)\nnetworking, essentials. This posture includes two policy sets:\n\n- A policy set that includes organization policy constraints that apply to\n VPC networking.\n\n- A policy set that includes Security Health Analytics detectors that apply to\n VPC networking.\n\nYou can use this predefined posture to configure a security posture that helps\nprotect VPC networking. You can deploy this predefined posture\nwithout making any changes.\n\nOrganization policy constraints\n\nThe following table describes the organization policy constraints that are\nincluded in this posture.\n\n| Policy | Description | Compliance standard |\n|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------|\n| `compute.skipDefaultNetworkCreation` | This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is `true` to avoid creating the default VPC network. | NIST SP 800-53 control: SC-7 and SC-8 |\n| `ainotebooks.restrictPublicIp` | This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is `true` to restrict public IP access on new Vertex AI Workbench notebooks and instances. | NIST SP 800-53 control: SC-7 and SC-8 |\n| `compute.disableNestedVirtualization` | This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is `true` to turn off VM nested virtualization. | NIST SP 800-53 control: SC-7 and SC-8 |\n\nSecurity Health Analytics detectors\n\nThe following table describes the Security Health Analytics detectors that are included in\nthe predefined posture. For more information about these detectors, see\n[Vulnerability findings](/security-command-center/docs/concepts-vulnerabilities-findings).\n\n| Detector name | Description |\n|--------------------------|-------------------------------------------------------------------------------------------------------------|\n| `FIREWALL_NOT_MONITORED` | This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes. |\n| `NETWORK_NOT_MONITORED` | This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes. |\n| `ROUTE_NOT_MONITORED` | This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes. |\n| `DNS_LOGGING_DISABLED` | This detector checks whether DNS logging is enabled on the VPC network. |\n| `FLOW_LOGS_DISABLED` | This detector checks whether flow logs are enabled on the VPC subnetwork. |\n\nView the posture template\n\n\nTo view the posture template for VPC networking, essentials, do the following: \n\ngcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nExecute the\n\n\n[`gcloud scc posture-templates\ndescribe`](/sdk/gcloud/reference/scc/posture-templates/describe)\n\n\ncommand:\n\nLinux, macOS, or Cloud Shell \n\n```bash\ngcloud scc posture-templates describe \\\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\n```\n\nWindows (PowerShell) \n\n```bash\ngcloud scc posture-templates describe `\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\n```\n\nWindows (cmd.exe) \n\n```bash\ngcloud scc posture-templates describe ^\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\n```\n\nThe response contains the posture template.\n\nREST\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nHTTP method and URL:\n\n```\nGET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\n```\n\nTo send your request, expand one of these options:\n\ncurl (Linux, macOS, or Cloud Shell) **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\ncurl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\"\n```\n\nPowerShell (Windows) **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method GET `\n -Headers $headers `\n -Uri \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential\" | Select-Object -Expand Content\n```\n\nThe response contains the posture template.\n\nWhat's next\n\n- [Create a security posture using this predefined posture](/security-command-center/docs/how-to-use-security-posture)."]]
