Ensure Legacy Networks Do Not Exist for Older Projects

In order to prevent use of legacy networks, a project should not have a legacy network configured. Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subject to a single point of contention or failure.

Risk Level: High
Cloud Entity: GCP VPC Network
CloudGuard Rule ID: D9.GCP.NET.31
Covered by Spectral: No
Category: Networking & Content Delivery


Network should not have isLegacy=true


Currently, Creation of legacy mode networks is deprecated. Please create a subnet mode network instead by removing the IPv4Range field and adding the autoCreateSubnetworks field to your network insert request.
For each Google Cloud Platform project:

  1. Follow the documentation on https://cloud.google.com/vpc/docs/using-legacy.
  2. Create a non-legacy network suitable for the organization's requirements.
  3. Delete the networks in the legacy mode.


  1. https://workbench.cisecurity.org/sections/507171/recommendations/827571

GCP VPC Network

A VPC network, sometimes just called a ���network,��� is a virtual version of a physical network, like a data center network. It provides connectivity for your Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, App Engine Flex instances, and other resources in your project.

Projects can contain multiple VPC networks. New projects start with a default network that has one subnet in each region (an auto mo

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5