VPC Service Controls log entries often contain data about denied requests to protected services, such as the resources being requested and the reason why access was denied. However, these details aren't always easily apparent and can require users to spend considerable time understanding the logs. The VPC Service Controls Troubleshooter is a tool that enables security administrators to better understand and troubleshoot a denial that is caused by VPC Service Controls.
Currently, VPC Service Controls Troubleshooter helps diagnose the following types of violations:
| Violations | |
|---|---|
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER
|
Projects listed in the resourceNames field of the audit
record are not in the same service perimeter.
|
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER
|
Projects that correspond to the callerNetwork and the
resourceNames fields of the audit record are not in the
same service perimeter.
|
NO_MATCHING_ACCESS_LEVEL
|
Typically, the IP address corresponding to the If the caller IP address is missing or appears to be a private IP address, then this violation might be a Google Cloud service that is not yet integrated with VPC Service Controls trying to access a protected service and failing as expected. |
SERVICE_NOT_ALLOWED_FROM_VPC
|
The service being called is not allowed from a host using a private IP address, such as VM instances in a VPC network or clients in an on-premises network. |
Access control
To permit a user to troubleshoot a VPC Service Controls violation, you can assign
the VPC Service Controls Troubleshooter View role. This role does not allow users
to make changes to perimeters or access levels.
Accessing the VPC Service Controls Troubleshooter
The VPC Service Controls Troubleshooter is available only in the Google Cloud Console. There are two ways to access the VPC Service Controls Troubleshooter.
Using the Logs Explorer
Using the Logs Explorer, you can move directly from a log entry for a VPC Service Controls denial to the VPC Service Controls Troubleshooter.
To access the VPC Service Controls Troubleshooter from a log entry:
In the Logs Explorer, use the denial's unique ID to access the log entry.
In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.
Using the VPC Service Controls page
From the VPC Service Controls page, you can troubleshoot a denial using its unique ID.
Before you begin:
- Obtain the unique ID for the denial that you want to troubleshoot.
To access the VPC Service Controls Troubleshooter from the VPC Service Controls page:
In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.
If you are prompted, select your Organization. The VPC Service Controls page can only be accessed at the Organization level.
At the top of the VPC Service Controls page, click Troubleshoot.
On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique ID for the denial that you want to troubleshoot.
Click Troubleshoot.