Description:
To prevent use of 'default' network, a project should not have a 'default' network.
Rationale:
The 'default' network has a preconfigured network configuration and automatically generates the following insecure firewall rules:
These automatically created firewall rules do not get audit logged and cannot be configured to enable firewall rule logging.
Furthermore, the default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it's not possible to use Cloud VPN or VPC Network Peering with the default network.
Based on organization security and networking requirements, the organization should create a new network and delete the 'default' network.
When an organization deletes the default network, it may need to migrate or service onto a new network.
From Google Cloud Console
Go to the 'VPC networks' page by visiting: https://console.cloud.google.com/networking/networks/list.
Click the network named 'default'.
On the network detail page, click 'EDIT'.
Click 'DELETE VPC NETWORK'.
If needed, create a new network to replace the default network.
From Google Cloud CLI
For each Google Cloud Platform project,
gcloud compute networks delete default
gcloud compute networks create NETWORK_NAME
Prevention:
The user can prevent the default network and its insecure default firewall rules from being created by setting up an Organization Policy to 'Skip default network creation' at https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation.