Prisma Cloud Compute: GCP Connectivity error without defining custom network resources seen for Agentless scan

• Agentless scan is not reflecting any scan results for the GCP project.
• A Connectivity issue reflects for the GCP project under Manage > Accounts.
• Following error is seen in the console logs:

(agentless/orchestrator.go:635) agentless scan error for spec: {target="xxxx" hub="" region="xxxx" availabilityDomain=""} target identity: {xxxx  } hub identity: {  }: all scans were stopped due to connectivity issues target="xxxx" hub="" region="xxxx" availabilityDomain="" job="Scan" workerID="xxxx"

• Prisma Cloud Compute SaaS version
• Prisma Cloud Compute Self-hosted version 22.06 and above
• Agentless scan
• GCP

This issue can be encountered due to a Quota issue in the GCP project.

• Validate if a quota limit is the root cause by reviewing the GCP Logs. You should see an entry like the below:

{
    "protoPayload": {
      "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
      "status": {
        "code": 8,
        "message": "QUOTA_EXCEEDED",
        "details": [
          {
            "@type": "type.googleapis.com/google.protobuf.Struct",
            "value": {
              "quotaExceeded": {
                "metric": "SSD_TOTAL_GB",
                "limit": 1500,
                "resource": {
                  "resourceType": "DISK",
                  "resourceName": "prismacloud-scan-xxxx-prisma-agentless-scan-x",
                  "project": {
                    "canonicalProjectId": "xxxx"
                  },
                  "scope": {
                    "scopeType": "ZONE",
                    "scopeName": "xxxx"
                  }
                },
                "scope": {
                  "scopeType": "REGION",
                  "scopeName": "xxxx"
                },
                "metricName": "compute.googleapis.com/ssd_total_storage",
                "limitName": "SSD-TOTAL-GB-per-project-region"
              }
            }
          }
        ]
      },
      "authenticationInfo": {
        "principalEmail": "xxxx",
        "serviceAccountKeyName": "//iam.googleapis.com/projects/xxxx/serviceAccounts/xxxx/keys/xxxx",
        "principalSubject": "serviceAccount:xxxx"
      },
      "requestMetadata": {
        "callerIp": "xxxx",
        "callerSuppliedUserAgent": "google-api-go-client/0.5,gzip(gfe)",
        "requestAttributes": {},
        "destinationAttributes": {}
      },
      "serviceName": "compute.googleapis.com",
      "methodName": "v1.compute.instances.insert",
      "resourceName": "projects/xxxx/zones/xxxx/instances/prismacloud-scan-xxxx-prisma-agentless-scan",
      "request": {
        "@type": "type.googleapis.com/compute.instances.insert"
      }
    },
    "insertId": "xxxx",
    "resource": {
      "type": "gce_instance",
      "labels": {
        "project_id": "xxxx",
        "zone": "xxxx",
        "instance_id": "xxxx"
      }
    },
    "timestamp": "xxxx",
    "severity": "ERROR",
    "labels": {
      "compute.googleapis.com/root_trigger_id": "xxxx"
    },
    "logName": "projects/xxxx/logs/cloudaudit.googleapis.com%2Factivity",
    "operation": {
      "id": "xxxx",
      "producer": "compute.googleapis.com",
      "last": true
    },
    "receiveTimestamp": "xxxx"
  }

• The GCP Log should indicate which quota needs to be increased.
• Increase the applicable quota value as needed within GCP under "Quotas and System Limits".

If custom network resources are defined, validate the scanner is able to communicate back to the Prisma Cloud Console. If it's a SaaS deployment, reference the Prisma Cloud Console Prerequisites documentation for the required NAT gateway IP addresses.