Annual_Firewall_Review_Report

Absolutely — here is your fully formatted, expanded, copy-friendly firewall review report.You can copy/paste this directly into Google Docs using the copy button.


Annual Firewall Ruleset Review Report

Google Cloud Platform (GCP)

For Vanta Compliance



1. Review Coverage

The annual firewall review covered the following GCP firewall resources:

Firewalls Reviewed

  • VPC Network: [Insert VPC Name]
  • Subnets: [Insert Relevant Subnets]
  • Firewall Rule Sets within:
  • Compute Engine VPC Firewall Rules
  • GKE Cluster Network Policies (if applicable)
  • Cloud SQL Authorized Networks (if applicable)
  • Serverless VPC Connector Firewall Rules (if applicable)

Network Segments Examined

  • Production Network
  • Staging Network
  • Internal Services Network
  • Public-facing Services Network
  • Restricted Admin/Management Network (if applicable)


2. Ruleset Overview

  • Total Number of Rules Reviewed: __________________
  • Grouping of Rules for Review:
  • By Function: web traffic, database access, admin access, internal services
  • By Network Segment: production, staging, internal, restricted
  • By Application: web app, API service, internal automation, monitoring


. Rule Descriptions (Representative Sample)

Below is a representative sample of reviewed firewall rules. A complete rule list is available upon request.
Rule ID
Action
Source
Destination
Ports/Protocols
Description
allow-web-https
Allow
0.0.0.0/0
Web Server Group
TCP/443
Allows public HTTPS traffic to web applications
allow-internal-api
Allow
10.0.0.0/16
API Services
TCP/8080
Internal microservice communication
deny-all-external-ssh
Deny
0.0.0.0/0
All VM Instances
TCP/22
Blocks SSH access from the public internet
allow-health-checks
Allow
GCP Health IPs
Load Balancers
TCP/80/443
Required for GCP-managed health checks
allow-sql-connections
Allow
App Engine
Cloud SQL Instances
TCP/5432
Enables database connectivity from app services


4. Purpose / Justification for Rules

Examples

  • allow-web-https: Public HTTPS traffic is required for customer-facing services; only port 443 is exposed following best practices.
  • allow-internal-api: Necessary for microservice-to-microservice communication within the private VPC.
  • deny-all-external-ssh: Enforces secure access by requiring IAP, VPN, or Privileged Access Workflows.
  • allow-health-checks: Mandatory for GCP load balancer health probes to maintain service uptime.
  • allow-sql-connections: Allows secure database connections from App Engine and Cloud Run.


5. Compliance Status

Each rule was reviewed for compliance with organizational policy and industry best practices.
Rule ID
Compliant?
Notes
allow-web-https
Yes
Industry-standard exposure; HTTPS-only
allow-internal-api
Yes
Least privilege applied; internal CIDRs only
deny-all-external-ssh
Yes
Aligned with secure-access policies
allow-health-checks
Yes
Required for system reliability
allow-all-egress
Partial
Overly permissive; requires additional restrictions


7. Findings & Recommendations

Modifications Needed

  • Restrict egress rules to known, necessary external addresses.
  • Add logging-enabled to all allow rules lacking visibility.
  • Introduce network tags for easier rule grouping and traceability.

Deletions

  • Remove unused rules:
  • [Insert Rule Name] appears unused according to firewall hit logs.

Additions

  • Add a deny-all rule for unused ports within production.
  • Add segmentation rules between staging and production environments.
  • Add explicit allow-lists for outbound dependency services.

8. Evidences

9. Reviewer Attestation

I certify that the annual firewall review was completed in accordance with organizational policy and industry best practices.
Reviewer Signature: ______________________________Date: ______________________________