VPC Service Controls log entries often contain data about denied requests to protected services, such as the resources being requested and the reason why access was denied. However, these details aren't always easily apparent and may require users to spend considerable time understanding the logs. The VPC Service Controls Troubleshooter is a tool that enables security administrators to better understand and troubleshoot a denial that is caused by VPC Service Controls. Currently, VPC Service Controls Troubleshooter help diagnose three types of violations:
Violations | |
---|---|
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER
|
Projects listed in the resourceNames field of the audit
record are not in the same service perimeter.
|
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
|
Projects that correspond to the callerNetwork and the
resourceNames fields of the audit record are not in the
same service perimeter.
|
NO_MATCHING_ACCESS_LEVEL
|
Typically, the IP address corresponding to the If the caller IP address is missing or appears to be a private IP address, then this violation might be a Google Cloud service that is not yet integrated with VPC Service Controls trying to access a protected service and failing as expected. |
Limitations for beta
The following limitations exist for the beta release of the VPC Service Controls Troubleshooter.
While 3 of the most common VPC Service Controls errors are supported by VPC Service Controls Troubleshooter, not all errors are covered by the beta. The following error cannot currently be reviewed using the VPC Service Controls Troubleshooter:
SERVICE_NOT_ALLOWED_FROM_VPC
Not all VPC Service Controls-related errors are given a unique id. If an error does not have a unique id, it cannot be reviewed using the VPC Service Controls Troubleshooter.
Access control
To permit a user to troubleshoot a VPC Service Controls violation, you can assign
the VPC Service Controls Troubleshooter View
role. This role does not allow users
to make changes to perimeters or access levels.
Accessing the VPC Service Controls Troubleshooter
The VPC Service Controls Troubleshooter is available only in the Google Cloud Console. There are two ways to access the VPC Service Controls Troubleshooter.
Using the Logs Viewer (Preview)
Using the Logs Viewer (Preview), you can move directly from a log entry for a VPC Service Controls denial to the VPC Service Controls Troubleshooter.
To access the VPC Service Controls Troubleshooter from a log entry:
In the Logs Viewer (Preview), use the denial's unique id to access the log entry.
In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.
Using the VPC Service Controls page
From the VPC Service Controls page, you can troubleshoot a denial using a project path and unique id.
Before you begin:
- Obtain the unique id for the denial that you want to troubleshoot.
To access the VPC Service Controls Troubleshooter from the VPC Service Controls page:
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your Organization. The VPC Service Controls page can only be accessed at the Organization level.
At the top of the VPC Service Controls page, click Troubleshoot.
On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique id for the denial that you want to troubleshoot.
In the Project resource path box, click Browse, and then select the project that caused the denial.
Click Troubleshoot.