Cyscale
Back to controls

Ensure subnetworks enable Private Google Access and Flow Logs

Subnetwork-level hardening should include Private Google Access for workloads without external IP addresses and VPC Flow Logs for monitoring and forensic use.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

Subnetwork-level hardening should include Private Google Access for workloads without external IP addresses and VPC Flow Logs for monitoring and forensic use.

Why this matters

Private Google Access lets internal-only workloads reach Google APIs without public IP exposure, while Flow Logs give network visibility during investigations.

What this control should detect

Subnetworks where either Private Google Access is disabled or VPC Flow Logs are disabled.

Remediation guidance

Google Cloud Remediation

Service-wide fix (recommended): make these subnet settings part of your Shared VPC or subnet provisioning standard so new private subnets are born compliant.

When to use service-wide remediation

Use the service-wide path when multiple projects or teams create subnetworks from the same platform patterns.

Google Cloud console

  1. Open VPC network -> VPC networks.
  2. Select the affected subnet.
  3. Enable Private Google Access.
  4. Enable Flow logs.
  5. Confirm the logging destination and retention model used by your organization.

Google Cloud CLI

Enable both settings on the subnet:

gcloud compute networks subnets update <subnet-name> \
  --region=<region> \
  --enable-private-ip-google-access \
  --enable-flow-logs

Validate the subnet:

gcloud compute networks subnets describe <subnet-name> \
  --region=<region>

Operational notes

  • Private Google Access is most useful for workloads that do not have external IP addresses but still need to reach Google APIs and services.
  • Flow Logs are not a packet capture. They are sampled connection metadata, which is still very useful for detection and incident response.
  • If you need more control over Flow Logs volume or metadata fields, tune the Flow Logs settings after enabling the feature.

References

  • https://cloud.google.com/vpc/docs/private-google-access
  • https://docs.cloud.google.com/vpc/docs/configure-private-google-access
  • https://docs.cloud.google.com/vpc/docs/flow-logs
  • https://cloud.google.com/vpc/docs/using-flow-logs

Query logic

These are the stored checks tied to this control.

Subnets without Private Google Access or Flow Logs

Connectors

Google Cloud

Covered asset types

Subnetwork

Expected check: eq []

{ subnetworks(where: { OR: [ { privateIpGoogleAccess: false }, { enableFlowLogs: false } ] }) { ...AssetFragment } }
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon