Predefined posture for VPC networking, essentials
This page describes the preventative and detective policies that are included inthe v.1.0 version of the predefined posture for Virtual Private Cloud (VPC)networking, essentials. This posture includes two policy sets:
A policy set that includes organization policy constraints that apply toVPC networking.
A policy set that includes Security Health Analytics detectors that apply toVPC networking.
You can use this predefined posture to configure a security posture that helpsprotect VPC networking. You can deploy this predefined posturewithout making any changes.
Organization policy constraints
The following table describes the organization policy constraints that areincluded in this posture.
| Policy | Description | Compliance standard |
|---|---|---|
compute.skipDefaultNetworkCreation | This boolean constraint disables the automatic creation of a default VPC network and default firewall rules in each new project, ensuring that network and firewall rules are intentionally created. The value is | NIST SP 800-53 control: SC-7 and SC-8 |
ainotebooks.restrictPublicIp | This boolean constraint restricts public IP access to newly created Vertex AI Workbench notebooks and instances. By default, public IP addresses can access Vertex AI Workbench notebooks and instances. The value is | NIST SP 800-53 control: SC-7 and SC-8 |
compute.disableNestedVirtualization | This boolean constraint disables nested virtualization for all Compute Engine VMs to decrease the security risk related to unmonitored nested instances. The value is | NIST SP 800-53 control: SC-7 and SC-8 |
Security Health Analytics detectors
The following table describes the Security Health Analytics detectors that are included inthe predefined posture. For more information about these detectors, seeVulnerability findings.
| Detector name | Description |
|---|---|
FIREWALL_NOT_MONITORED | This detector checks whether log metrics and alerts aren't configured to monitor VPC firewall rule changes. |
NETWORK_NOT_MONITORED | This detector checks whether log metrics and alerts aren't configured to monitor VPC network changes. |
ROUTE_NOT_MONITORED | This detector checks whether log metrics and alerts aren't configured to monitor VPC network route changes. |
DNS_LOGGING_DISABLED | This detector checks whether DNS logging is enabled on the VPC network. |
FLOW_LOGS_DISABLED | This detector checks whether flow logs are enabled on the VPC subnetwork. |
View the posture template
To view the posture template for VPC networking, essentials, do the following:
gcloud
Before using any of the command data below, make the following replacements:
ORGANIZATION_ID: the numeric ID of the organization
Execute thegcloud scc posture-templates describe command:
Linux, macOS, or Cloud Shell
gcloudsccposture-templatesdescribe\organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essentialWindows (PowerShell)
gcloudsccposture-templatesdescribe`organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essentialWindows (cmd.exe)
gcloudsccposture-templatesdescribe^organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential
The response contains the posture template.
REST
Before using any of the request data, make the following replacements:
ORGANIZATION_ID: the numeric ID of the organization
HTTP method and URL:
GET https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential"
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://securityposture.googleapis.com/v1/organizations/ORGANIZATION_ID/locations/global/postureTemplates/vpc_networking_essential" | Select-Object -Expand Content
The response contains the posture template.
What's next
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-20 UTC.