Ensure no VM instances exist in default network.
Every GCP project comes with a default network with pre-populated firewall rules. A default network is suitable for getting started quickly, and for launching public instances for simple websites. But, if you need to host a complex multi-tier application or add more layers of security to your infrastructure it is a best practice to create non-default network with public, private subnets & demilitarized (DMZ) zones. This segregates the network based on their functionality, services, and security.
Ensure the default network does not have any VM instances.