Network Security
Overviewโ
HIPAA Technical Safeguard 45 CFR ยง 164.312(e) requires controls to protect PHI during electronic transmission. Network security isolates PHI systems from the public internet and limits exposure to only necessary connections.
1. Network Architectureโ
Internet
โ
โผ
[ Cloud Load Balancer ] โโโ Cloud Armor WAF / DDoS
โ HTTPS (443)
โผ
[ Cloud Run ] (private VPC via VPC Connector)
โ
โโโโโ Private VPC (10.0.0.0/16)
โ โ
โ โโโ [ Cloud SQL Private IP ] (10.0.1.x)
โ โ
โ โโโ [ Redis / Memorystore ] (10.0.2.x)
โ
โโโโโ Cloud NAT (outbound only, no public IPs on resources)
2. VPC Configurationโ
# Create custom VPC (not default)
gcloud compute networks create phi-vpc \
--subnet-mode=custom --bgp-routing-mode=regional \
--project=YOUR_PHI_PROJECT_ID
# App tier subnet
gcloud compute networks subnets create phi-app-subnet \
--network=phi-vpc --region=us-central1 \
--range=10.0.1.0/24 --enable-private-ip-google-access \
--project=YOUR_PHI_PROJECT_ID
# Data tier subnet
gcloud compute networks subnets create phi-data-subnet \
--network=phi-vpc --region=us-central1 \
--range=10.0.2.0/24 --enable-private-ip-google-access \
--project=YOUR_PHI_PROJECT_ID
# VPC Connector subnet (dedicated /28 required)
gcloud compute networks subnets create phi-connector-subnet \
--network=phi-vpc --region=us-central1 \
--range=10.0.3.0/28 --project=YOUR_PHI_PROJECT_ID
# Delete the default VPC
gcloud compute networks delete default --project=YOUR_PHI_PROJECT_ID
3. Firewall Rulesโ
# Allow Cloud Run โ Cloud SQL
gcloud compute firewall-rules create allow-app-to-sql \
--network=phi-vpc --direction=INGRESS --priority=1000 \
--action=ALLOW --rules=tcp:5432 \
--source-ranges=10.0.3.0/28 \
--project=YOUR_PHI_PROJECT_ID
# Allow Cloud Run โ Redis
gcloud compute firewall-rules create allow-app-to-redis \
--network=phi-vpc --direction=INGRESS --priority=1000 \
--action=ALLOW --rules=tcp:6378 \
--source-ranges=10.0.3.0/28 \
--project=YOUR_PHI_PROJECT_ID
# Allow GCP health check IPs
gcloud compute firewall-rules create allow-health-checks \
--network=phi-vpc --direction=INGRESS --priority=1000 \
--action=ALLOW --rules=tcp:8080 \
--source-ranges=35.191.0.0/16,130.211.0.0/22 \
--project=YOUR_PHI_PROJECT_ID
# Deny SSH/RDP from internet
gcloud compute firewall-rules create deny-ssh-rdp \
--network=phi-vpc --direction=INGRESS --priority=900 \
--action=DENY --rules=tcp:22,tcp:3389 \
--source-ranges=0.0.0.0/0 \
--project=YOUR_PHI_PROJECT_ID
4. Cloud NATโ
gcloud compute routers create phi-router \
--network=phi-vpc --region=us-central1 \
--project=YOUR_PHI_PROJECT_ID
gcloud compute routers nats create phi-nat \
--router=phi-router --region=us-central1 \
--nat-all-subnet-ip-ranges --auto-allocate-nat-external-ips \
--project=YOUR_PHI_PROJECT_ID
5. VPC Service Controlsโ
# Add all PHI-relevant services to the perimeter
gcloud access-context-manager perimeters update phi-perimeter \
--policy=YOUR_POLICY_ID \
--add-restricted-services=\
storage.googleapis.com,\
sqladmin.googleapis.com,\
redis.googleapis.com,\
secretmanager.googleapis.com,\
cloudkms.googleapis.com,\
logging.googleapis.com
6. VPC Flow Logsโ
gcloud compute networks subnets update phi-app-subnet \
--region=us-central1 \
--enable-flow-logs \
--flow-logs-sampling=0.5 \
--flow-logs-metadata=INCLUDE_ALL_METADATA \
--project=YOUR_PHI_PROJECT_ID
7. Network Security Checklistโ
| Control | Status |
|---|---|
| Custom VPC (not default) | [ ] |
| Private subnets for all services | [ ] |
| No public IPs on Cloud SQL | [ ] |
| No public IPs on Redis | [ ] |
| VPC Connector for Cloud Run | [ ] |
| Cloud NAT for outbound access | [ ] |
| Private Google Access enabled | [ ] |
| VPC Service Controls perimeter | [ ] |
| Cloud Armor WAF enabled | [ ] |
| VPC Flow Logs enabled | [ ] |
| SSH/RDP blocked from internet | [ ] |
Next: Audit Logging โ