CoursesGCP securityNetwork & VPC Service Controls

Egress control & DNS

Default-deny outbound, Cloud NAT, DNS filtering.

Advanced30 min · lesson 5 of 15

Inbound filtering is everywhere; outbound is usually wide open — yet exfiltration and command-and-control both leave through egress. On GCP you have layered egress controls, and using them turns a silent breach into a blocked, logged event.

Constrain and inspect outbound

Write egress firewall rules that deny by default and allow only the destinations a workload legitimately needs, route all outbound through Cloud NAT so there is a single controlled path, and use Cloud DNS policies / DNS Firewall to block resolution of unapproved or known-malicious domains while logging every lookup. For deeper inspection, Secure Web Proxy and Cloud NGFW add TLS-aware egress filtering and IDS/IPS at the boundary.

default-deny egress with a narrow allow
# Deny all egress by default (high priority number = low precedence)...
gcloud compute firewall-rules create deny-all-egress \
--network=prod-vpc --direction=EGRESS --action=DENY --rules=all \
--destination-ranges=0.0.0.0/0 --priority=65534
# ...then allow only the approved destination range at higher precedence.
gcloud compute firewall-rules create allow-egress-apis \
--network=prod-vpc --direction=EGRESS --action=ALLOW --rules=tcp:443 \
--destination-ranges=199.36.153.8/30 --priority=1000 # restricted.googleapis.com

Detect what tries to leave

Under the controls, turn on VPC Flow Logs to reconstruct who talked to what during an incident, and DNS query logging to catch tunnelling — long, high-entropy subdomains and abnormal query volume to a single domain are how data escapes networks that block ordinary egress. Cloud IDS mirrors traffic to a Google-managed intrusion detection engine for signature-based detection of exfil and C2 patterns.

Layered GCP egress controls
restrict
default-deny egress rules
allow only approved destinations
Cloud NAT
single controlled outbound path
inspect + record
DNS Firewall + query logs
block bad names, log lookups
VPC Flow Logs / Cloud IDS
reconstruct + detect
Unrestricted egress is free C2 and exfiltration. Default-deny outbound is high-leverage and commonly missing.
Open egress is a ready-made C2 channel
If a compromised workload can open arbitrary outbound connections, the attacker already has exfiltration and command-and-control with no further privilege. Default-deny egress with a small allowlist closes that channel — prioritize it over almost any other network control.