Using the VPC Service Controls Troubleshooter

VPC Service Controls log entries often contain data about denied requests to protected services, such as the resources being requested and the reason why access was denied. However, these details aren't always easily apparent and can require users to spend considerable time understanding the logs. The VPC Service Controls Troubleshooter is a tool that enables security administrators to better understand and troubleshoot a denial that is caused by VPC Service Controls.

Currently, VPC Service Controls Troubleshooter helps diagnose the following types of violations:

Violations
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER Projects listed in the resourceNames field of the audit record are not in the same service perimeter.
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER Projects that correspond to the callerNetwork and the resourceNames fields of the audit record are not in the same service perimeter.
NO_MATCHING_ACCESS_LEVEL

Typically, the IP address corresponding to the callerIp field of the audit record does not match any CIDR ranges defined in access levels for the service perimeter.

If the caller IP address is missing or appears to be a private IP address, then this violation might be a Google Cloud service that is not yet integrated with VPC Service Controls trying to access a protected service and failing as expected.

SERVICE_NOT_ALLOWED_FROM_VPC The service being called is not allowed by the VPC Accessible Services configuration of the service perimeter.

Access control

To permit a user to troubleshoot a VPC Service Controls violation, you can assign the VPC Service Controls Troubleshooter View role. This role does not allow users to make changes to perimeters or access levels.

Accessing the VPC Service Controls Troubleshooter

The VPC Service Controls Troubleshooter is available only in the Google Cloud Console. There are two ways to access the VPC Service Controls Troubleshooter.

Using the Logs Explorer

Using the Logs Explorer, you can move directly from a log entry for a VPC Service Controls denial to the VPC Service Controls Troubleshooter.

To access the VPC Service Controls Troubleshooter from a log entry:

  1. In the Logs Explorer, use the denial's unique ID to access the log entry.

  2. In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.

Using the VPC Service Controls page

From the VPC Service Controls page, you can troubleshoot a denial using its unique ID.

Before you begin:

To access the VPC Service Controls Troubleshooter from the VPC Service Controls page:

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your Organization. The VPC Service Controls page can only be accessed at the Organization level.

  3. At the top of the VPC Service Controls page, click Troubleshoot.

  4. On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique ID for the denial that you want to troubleshoot.

  5. Click Troubleshoot.