Skip to main content

VPC Network Route Changed

This alert occurs when Lacework detects a modification made to the route configuration of a Virtual Private Cloud (VPC) network.

Related policy: LW_AT_VPC_49: VPC Network Route Changed

Why this alert is important

Changes to VPC network routes can impact traffic flow within the network, which can have security implications. Unauthorized VPC network route changes could redirect traffic to unauthorized destinations or expose network traffic to unauthorized parties. Detecting and monitoring changes to VPC network routes can prevent unauthorized access or traffic diversion and identify potential security threats.

When network performance issues arise, detecting changes to VPC network routes can help identify the problem's source. Network administrators can use the logs generated by Stackdriver to analyze changes to VPC network routes and determine whether these changes are causing network problems.

Investigation

Follow these steps to investigate the alert:

  1. Check the Cloud Logging (formerly Stackdriver) to determine who modified the VPC network route and when. Look for suspicious activity or unauthorized access to the Google Cloud console or API. Use filters to narrow your search and find relevant log entries.
  2. Review the VPC network route configuration to determine what changes were made. Verify that the new routes or changes are valid and authorized. If you find any unauthorized routes or changes, delete them immediately.
  3. Check the firewall rules associated with the VPC network to see if any rules were changed or added. Verify that the new rules are valid and authorized. If you find any unauthorized rules, delete them immediately.
  4. Review network activity logs to see if there is any suspicious activity, such as unusual traffic patterns or unauthorized access attempts.

Resolution

Use the following steps to resolve an unauthorized change in the VPC network route:

  1. Remove the unauthorized routes using the Google Cloud console or the Cloud SDK command-line tool. Make sure that you delete only the unauthorized routes and not any valid routes.
  2. Check the firewall rules associated with the VPC network to see if any rules were changed or added. Verify that the new rules are valid and authorized. If you find any unauthorized rules, delete them immediately.
  3. Review the access permissions of all users who have access to the Google Cloud console or API. Check for any users with unauthorized access and revoke their permissions. Make sure that all user accounts have strong passwords and multi-factor authentication enabled.
  4. Enable VPC Flow Logs to capture network traffic metadata. This can help identify the unauthorized modification's source and any other suspicious activity.
  5. Change the credentials of any users who had access to the Google Cloud console or API at the time of the unauthorized modification. This can help to prevent future unauthorized access.