Stay organized with collections
Save and categorize content based on your preferences.
This page describes the preventative and detective policies that are included in
the v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)
networking, extended. This posture includes two policy sets:
A policy set that includes organization policy constraints that apply to
VPC networking.
A policy set that includes Security Health Analytics detectors that apply to
VPC networking.
You can use this predefined posture to configure a security posture that helps
protect VPC networking. If you want to deploy this predefined
posture, you must customize some of the policies so that they apply to your
environment.
Organization policy constraints
The following table describes the organization policy constraints that are
included in this posture.
Policy
Description
Compliance standard
compute.skipDefaultNetworkCreation
This boolean constraint disables the automatic creation of a default
VPC network and default firewall rules in each new project, ensuring that
network and firewall rules are intentionally created.
The value is
true to avoid creating the default VPC network.
NIST SP 800-53 control: SC-7 and SC-8
ainotebooks.restrictPublicIp
This boolean constraint restricts public IP access to newly created
Vertex AI Workbench notebooks and instances. By default, public IP
addresses can access Vertex AI Workbench notebooks and instances.
The value is true to restrict public IP access on new
Vertex AI Workbench notebooks and instances.
NIST SP 800-53 control: SC-7 and SC-8
compute.disableNestedVirtualization
This boolean constraint disables nested virtualization for all
Compute Engine VMs to decrease the security risk related to unmonitored
nested instances.
The value is true to turn off VM nested
virtualization.
NIST SP 800-53 control: SC-7 and SC-8
compute.vmExternalIpAccess
This list constraint defines the Compute Engine VM instances that are
allowed to use external IP addresses. By default, all VM instances are allowed
to use external IP addresses. The constraint uses the format
projects/PROJECT_ID/zones/ZONE/instances/INSTANCE.
You must configure this value when you adopt this predefined
posture.
NIST SP 800-53 control: SC-7 and SC-8
ainotebooks.restrictVpcNetworks
This list constraint defines the VPC networks a user can
select when creating new Vertex AI Workbench instances where this
constraint is enforced.
You must configure this value when you adopt this predefined
posture.
NIST SP 800-53 control: SC-7 and SC-8
compute.vmCanIpForward
This list constraint defines the VPC networks that a
user can select when creating new Vertex AI Workbench instances. By
default, you can create a Vertex AI Workbench instance with any
VPC network.
You must configure this value when you adopt this predefined
posture.
NIST SP 800-53 control: SC-7 and SC-8
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included in
the predefined posture. For more information about these detectors, see
Vulnerability findings.
Detector name
Description
FIREWALL_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes.
NETWORK_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes.
ROUTE_NOT_MONITORED
This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes.
DNS_LOGGING_DISABLED
This detector checks whether DNS logging is enabled on the VPC network.
FLOW_LOGS_DISABLED
This detector checks whether flow logs are enabled on the VPC subnetwork.
VPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDED
This detector checks whether the enableFlowLogs property of VPC subnetworks is missing or set to false.
View the posture template
To view the posture template for VPC networking, extended, do the following:
gcloud
Before using any of the command data below,
make the following replacements:
ORGANIZATION_ID: the numeric ID of the organization
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# Predefined posture for VPC networking, extended\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nThis page describes the preventative and detective policies that are included in\nthe v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)\nnetworking, extended. This posture includes two policy sets:\n\n- A policy set that includes organization policy constraints that apply to\n VPC networking.\n\n- A policy set that includes Security Health Analytics detectors that apply to\n VPC networking.\n\nYou can use this predefined posture to configure a security posture that helps\nprotect VPC networking. If you want to deploy this predefined\nposture, you must customize some of the policies so that they apply to your\nenvironment.\n\nOrganization policy constraints\n-------------------------------\n\nThe following table describes the organization policy constraints that are\nincluded in this posture.\n\nSecurity Health Analytics detectors\n-----------------------------------\n\nThe following table describes the Security Health Analytics detectors that are included in\nthe predefined posture. For more information about these detectors, see\n[Vulnerability findings](/security-command-center/docs/concepts-vulnerabilities-findings).\n\nView the posture template\n-------------------------\n\n\nTo view the posture template for VPC networking, extended, do the following: \n\n### gcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nExecute the\n\n\n[`gcloud scc posture-templates\ndescribe`](/sdk/gcloud/reference/scc/posture-templates/describe)\n\n\ncommand:\n\n#### Linux, macOS, or Cloud Shell\n\n```bash\ngcloud scc posture-templates describe \\\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\n```\n\n#### Windows (PowerShell)\n\n```bash\ngcloud scc posture-templates describe `\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\n```\n\n#### Windows (cmd.exe)\n\n```bash\ngcloud scc posture-templates describe ^\n organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\n```\n\nThe response contains the posture template.\n\n### REST\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e: the numeric ID of the organization\n\n\nHTTP method and URL:\n\n```\nGET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\n```\n\nTo send your request, expand one of these options:\n\n#### curl (Linux, macOS, or Cloud Shell)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\ncurl -X GET \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\"\n```\n\n#### PowerShell (Windows)\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nExecute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method GET `\n -Headers $headers `\n -Uri \"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_extended\" | Select-Object -Expand Content\n```\n\nThe response contains the posture template.\n\nWhat's next\n-----------\n\n- [Create a security posture using this predefined posture](/security-command-center/docs/how-to-use-security-posture)."]]
