Diagnosing issues by using the VPC Service Controls troubleshooter

Stay organized with collections Save and categorize content based on your preferences.

This page describes how you can use the VPC Service Controls troubleshooter to understand and diagnose issues that VPC Service Controls logs.

VPC Service Controls logs include details about requests to protected resources and the reason why VPC Service Controls denied the request. However, these details aren't always easily apparent and you might spend considerable time understanding the logs. Security administrators can use the VPC Service Controls troubleshooter to diagnose denials from a service perimeter.

You can also use the troubleshooter to diagnose denials from a service perimeter that uses a dry-run configuration.

The troubleshooter helps diagnose the following types of violations:

Violation Description
RESOURCES_NOT_IN_SAME_SERVICE_PERIMETER Projects listed in the resourceNames field of the audit record are not in the same service perimeter.
NETWORK_NOT_IN_SAME_SERVICE_PERIMETER Projects that correspond to the callerNetwork and the resourceNames fields of the audit record are not in the same service perimeter.
NO_MATCHING_ACCESS_LEVEL

The IP address, device requirement, or user identity doesn't match any ingress rules or access levels assigned to the perimeter. For example, the IP address corresponding to the callerIp field of the audit record does not match any CIDR ranges defined in the access levels for the service perimeter.

If the caller IP address is missing or appears as an internal IP address, then this violation might be due to a Google Cloud service that is not integrated with VPC Service Controls. The Google Cloud service tries to access a protected service and fails as expected.

SERVICE_NOT_ALLOWED_FROM_VPC The VPC accessible services configuration of the service perimeter prevents access to the service from a network inside your service perimeter.

Before you begin

To troubleshoot a VPC Service Controls violation, make sure that you have the VPC Service Controls Troubleshooter Viewer IAM role (roles/accesscontextmanager.vpcScTroubleshooterViewer). This role doesn't let you modify perimeters or access levels.

Accessing the VPC Service Controls troubleshooter

The troubleshooter is available only in the Google Cloud console. You can access the troubleshooter using either the Logs Explorer or the VPC Service Controls page.

Using the Logs Explorer

By using the Logs Explorer, you can move directly from a log entry for a VPC Service Controls denial to the troubleshooter.

To access the troubleshooter from a log entry, do the following:

  1. Go to the Logs Explorer page in the Google Cloud console.

    Go to Logs Explorer

  2. In the Logs Explorer, use the denial's unique ID to access the log entry.

  3. In the Query Results box, in the row for the denial that you want to troubleshoot, click VPC Service Controls, and then click Troubleshoot denial.

Using the VPC Service Controls page

From the VPC Service Controls page, you can troubleshoot a denial using its unique ID.

Before you begin:

To access the troubleshooter from the VPC Service Controls page, do the following:

  1. In the Google Cloud console navigation menu, click Security, and then click VPC Service Controls.

    Go to VPC Service Controls

  2. If you are prompted, select your organization. You can access the VPC Service Controls page only at the organization level.

  3. On the VPC Service Controls page, click Troubleshoot.

  4. On the VPC Service Controls Troubleshooter page, in the Unique identifier box, enter the unique ID for the denial that you want to troubleshoot.

  5. Click Troubleshoot.

What's next