Skip to main content

New Cloud VPN Created

This alert occurs when Lacework detects a new Virtual Private Network (VPN) connection has been established in the Google Cloud environment.

A VPN is a secure and encrypted network connection that enables users to access private networks remotely. In Google Cloud, a cloud VPN lets you securely connect your on-premises or another cloud provider's network to your Google Cloud Virtual Private Cloud (VPC) network. This allows you to establish a secure and private communication channel between the networks.

Related policy: LW_AT_RESOURCE_172: Cloud VPN Created

Why this alert is important

A newly created cloud VPN connection can indicate that a new external network has been connected to your Google Cloud environment, which may pose a security risk. Detecting this operation can allow you to verify that the connection is legitimate and authorized and to ensure that appropriate security measures are in place to protect your Google Cloud resources.

Investigation

Follow these steps to investigate the alert:

  1. Check your Google Cloud logs to see if there are any suspicious activities related to the creation of the VPN. Look for events such as unauthorized access attempts, unusual login patterns, or other signs of suspicious activity.
  2. Determine where the new VPN connection is coming from. If the connection is not authorized, it could come from a compromised machine or an attacker attempting to access your Google Cloud environment.
  3. Check the details of the new VPN connection to ensure it is legitimate. Verify the source IP address, the encryption settings, and other relevant details.
  4. Monitor network traffic to and from the new VPN connection to look for signs of malicious activity. Check for unusual traffic patterns, such as large data transfers or traffic to known malicious domains.

Resolution

Resolving an unauthorized new cloud VPN creation in Google Cloud requires taking swift and decisive action to protect your environment, including:

  1. Revoke the VPN connection to prevent the attacker from accessing your Google Cloud environment through the VPN tunnel.
  2. Take steps to mitigate the issue, including patching vulnerabilities, updating security policies, and implementing additional security controls.
  3. Increase monitoring and alerting around new VPN connections to help prevent future unauthorized access attempts.
  4. Conduct a post-incident review to identify any gaps in your security posture and determine what steps you can take to prevent similar incidents.