Using the VPC Service Controls Troubleshooter

VPC Service Controls log entries often contain data about denied requests to protected services, such as the resources being requested and the reason why access was denied. However, these details aren't always easily apparent and may require users to spend considerable time understanding the logs. The VPC Service Controls Troubleshooter is a tool that enables security administrators to better understand and troubleshoot a denial that is caused by VPC Service Controls. Currently, VPC Service Controls Troubleshooter help diagnose three types of violations:

Violations
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER Projects listed in the resourceNames field of the audit record are not in the same service perimeter.
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER Projects that correspond to the callerNetwork and the resourceNames fields of the audit record are not in the same service perimeter.
NO_MATCHING_ACCESS_LEVEL

Typically, the IP address corresponding to the callerIp field of the audit record does not match any CIDR ranges defined in access levels for the service perimeter.

If the caller IP address is missing or appears to be a private IP address, then this violation might be a Google Cloud service that is not yet integrated with VPC Service Controls trying to access a protected service and failing as expected.

Limitations for beta

The following limitations exist for the beta release of the VPC Service Controls Troubleshooter.

  • While 3 of the most common VPC Service Controls errors are supported by VPC Service Controls Troubleshooter, not all errors are covered by the beta. The following error cannot currently be reviewed using the VPC Service Controls Troubleshooter:

    • SERVICE_NOT_ALLOWED_FROM_VPC
  • Not all VPC Service Controls-related errors are given a unique id. If an error does not have a unique id, it cannot be reviewed using the VPC Service Controls Troubleshooter.

Access control

To permit a user to troubleshoot a VPC Service Controls violation, you can assign the VPC Service Controls Troubleshooter View role. This role does not allow users to make changes to perimeters or access levels.

Accessing the VPC Service Controls Troubleshooter

The VPC Service Controls Troubleshooter is available only in the Google Cloud Console. There are two ways to access the VPC Service Controls Troubleshooter.

Using the Logs Viewer (Preview)

Using the Logs Viewer (Preview), you can move directly from a log entry for a VPC Service Controls denial to the VPC Service Controls Troubleshooter.

To access the VPC Service Controls Troubleshooter from a log entry:

  1. In the Logs Viewer (Preview), use the denial's unique id to access the log entry.

  2. In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.

Using the VPC Service Controls page

From the VPC Service Controls page, you can troubleshoot a denial using a project path and unique id.

Before you begin:

To access the VPC Service Controls Troubleshooter from the VPC Service Controls page:

  1. In the Google Cloud Console navigation menu, click Security, and then click VPC Service Controls.

    Go to the VPC Service Controls page

  2. If you are prompted, select your Organization. The VPC Service Controls page can only be accessed at the Organization level.

  3. At the top of the VPC Service Controls page, click Troubleshoot.

  4. On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique id for the denial that you want to troubleshoot.

  5. In the Project resource path box, click Browse, and then select the project that caused the denial.

  6. Click Troubleshoot.