Ensure IP forwarding on instances is disabled

Error: IP forwarding on instances is enabled

Bridgecrew Policy ID: BC_GCP_NETWORKING_12
Checkov Check ID: CKV_GCP_36
Severity: MEDIUM

IP forwarding on instances is enabled

Description

The Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. GCP will not deliver a packet with a destination IP address different to the IP address of the instance receiving the packet. Both capabilities are required when using instances to help route packets.

To enable this source and destination IP check, disable the canIpForward field. The canIpForward field allows an instance to send and receive packets with non-matching destination or source IPs.

We recommend the forwarding of data packets be disabled to prevent data loss and information disclosure.

Fix - Runtime

GCP Console

The canIpForward setting can only be edited at instance creation time. It is recommended to
delete the instance and create a new one with canIpForward set to False.

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. Select the VM Instance to remediate.
  4. Click Delete.
  5. On the VM Instances page, click CREATE INSTANCE.
  6. Create a new instance with the desired configuration.

📘

Note

By default, a new instance is configured to not allow IP forwarding.

CLI Command

  1. To delete an instance, use the following command:
    gcloud compute instances delete INSTANCE_NAME

  2. To create a new instance to replace it with IP forwarding set to Off, use the following command:
    gcloud compute instances create

Fix - Buildtime

Terraform

  • Resource: google_compute_instance
  • Argument: can_ip_forward
    By default set to false.
resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
- can_ip_forward = true
}