Google Compute Subnetwork should have Private Google Access enabled

ID

gcp_compute_subnetwork_with_private_access_disabled

Severity

low

Vendor

GCP

Resource

Network

Tags

reachable

Description

Private Google Access is a feature that allows VM instances with internal IP addresses to access Google APIs and services. Private IP Google Access should be enabled for a subnetwork if you want your VM instances in that subnetwork to use Private Service Connect, which is a service that lets you connect to Google APIs and services using internal IP addresses instead of public IP addresses. This can improve network security and performance.

To fix it, you must configure the private_ip_google_access property to yes.

Learn more about this topic at hhttps://cloud.google.com/vpc/docs/private-google-access[Private Google Access | VPC | Google Cloud].

Examples

---
- name: create subnetwork
  google.cloud.gcp_compute_subnetwork:
    name: subnet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: no
    state: present

Mitigation / Fix

---
- name: create subnetwork
  google.cloud.gcp_compute_subnetwork:
    name: subnet
    region: us-west1
    network: "{{ network }}"
    ip_cidr_range: 172.16.0.0/16
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    private_ip_google_access: yes
    state: present