Instances must not have IP forwarding enabled

ID

gcp_ip_forwarding_enabled

Severity

low

Vendor

GCP

Resource

Network

Tags

reachable

Description

can_ip_forward is a flag that enables IP forwarding for a Google Cloud Compute instance. IP forwarding allows an instance to send and receive packets with a source or destination IP address that is different from its own IP address.

Enabling can_ip_forward is a risk because it can allow the instance to act as a router or a gateway for other instances or networks, which can expose it to unwanted traffic or malicious attacks.

IP forwarding also bypasses the source and destination checking that Google Cloud normally enforces, which can lead to spoofing or hijacking of packets.

Therefore, you should only enable IP forwarding for an instance if you have a specific use case that requires it, such as creating a VPN gateway or a NAT gateway.

Source: Conversation with Bing, 3/7/2023(1) IP addresses | Compute Engine Documentation | Google Cloud. https://cloud.google.com/compute/docs/ip-addresses/ Accessed 3/7/2023. (2) Use routes | VPC | Google Cloud. https://cloud.google.com/vpc/docs/using-routes Accessed 3/7/2023.

To fix it, you must configure the can_ip_forward property to no.

Learn more about this topic at Enable IP forwarding for instances.

Examples

---
- name: create vm
  google.cloud.gcp_compute_instance:
    name: vm
    machine_type: n1-standard-1
    metadata:
      env: production
    labels:
      environment: production
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    can_ip_forward: yes

Mitigation / Fix

---
- name: create vm
  google.cloud.gcp_compute_instance:
    name: vm
    machine_type: n1-standard-1
    metadata:
      env: production
    labels:
      environment: production
    network_interfaces:
    - network: "{{ network }}"
      access_configs:
      - name: External NAT
        nat_ip: "{{ address }}"
        type: ONE_TO_ONE_NAT
    zone: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    can_ip_forward: no