Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Logging
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Compute Engine – Disable IP Forwarding
This check ensures that IP forwarding is disabled on Compute Engine VM instances to prevent unintended packet routing and potential data exposure.
Check Details
- Resource: Compute Engine VM Instance
- Check: Disable IP forwarding
- Risk: Enabling IP forwarding can allow a VM instance to act as a router, which may lead to unintended traffic routing, data leakage, or misuse of network resources.
Remediation via Google Cloud Console
The canIpForward setting can only be configured at instance creation
time. To remediate this issue, the affected instance must be deleted and recreated
with IP forwarding disabled.
-
Navigate to the VM Instances page in the Google Cloud Console:
https://console.cloud.google.com/compute/instances
- Select the VM instance that has IP forwarding enabled.
-
Click Delete and confirm the deletion.
- On the VM Instances page, click CREATE INSTANCE.
- Create a new VM instance with the required configuration. By default, IP forwarding is disabled for new instances.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and click the
Cloud Shell icon (
>_) in the top-right corner.
-
Delete the affected VM instance:
gcloud compute instances delete <INSTANCE_NAME> -
Create a new VM instance to replace it. By default, IP forwarding is disabled:
gcloud compute instances create <NEW_INSTANCE_NAME>
Replace <INSTANCE_NAME> and
<NEW_INSTANCE_NAME> with the appropriate Compute Engine
instance names.
Default Value
By default, Google Cloud Compute Engine VM instances are created with IP forwarding disabled.