Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted Outbound Network Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Google Cloud functions are not configured to allow unrestricted outbound network access in order to prevent security vulnerabilities and minimize cloud costs. To ensure that your function's outbound traffic is restricted to internal IP ranges and can't communicate with external networks or the public Internet, set the VpcConnectorEgressSettings parameter to PRIVATE_RANGES_ONLY.

Security

Malicious actors can exploit unrestricted outbound network access to exfiltrate sensitive data, launch attacks such as Man-In-The-Middle (MITM) and Denial-of-Service (DoS) attacks, or incur unexpected charges. Limiting network access to only necessary resources helps mitigate these risks.

Audit

To determine if your Google Cloud functions allow unrestricted outbound network access, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Click on the name (link) of the function that you want to examine, listed in the Name column.

05 Select the DETAILS tab and check the VPC connector attribute value, under Networking Settings. If the VPC connector attribute does not have a value, there is no serverless VPC access connector configured for your function, therefore, all outgoing traffic go through the public Internet, allowing unrestricted access. If the function is configured with a serverless VPC access connector, check the VPC connector egress routing value. If VPC connector egress routing is set to All traffic, the selected Google Cloud function is configured to allow unrestricted outbound network access.

06 Repeat steps no. 4 and 5 for each Google Cloud function created for the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s): 

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run functions list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Google Cloud function deployed within the selected project: 

gcloud functions list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested function names and the associated regions: 

NAME: cc-project5-function
REGION: us-central1

NAME: tm-stream-function
REGION: us-central1

NAME: tm-vertex-function
REGION: us-central1

05 Run functions describe command (Windows/macOS/Linux) with the name of the Google Cloud function that you want to examine as the identifier parameter, to describe the egress (outbound) network settings configured for the selected function: 

gcloud functions describe cc-project5-function
	--region=us-central1
	--format="json(serviceConfig.vpcConnectorEgressSettings)"

06 The command output should return the requested egress network settings: 

{
	"serviceConfig": {
		"vpcConnectorEgressSettings": "ALL_TRAFFIC"
	}
}

If the functions describe command output returns null, there is no serverless VPC access connector configured for your function, therefore, all outgoing traffic go through the public Internet, allowing unrestricted access. If the command output returns "ALL_TRAFFIC" for the "vpcConnectorEgressSettings" attribute, as shown in the example above, the selected Google Cloud function is configured to allow unrestricted outbound network access.

07 Repeat steps no. 5 and 6 for each Google Cloud function created for the selected GCP project.

08 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud function's outbound traffic is restricted to internal IP ranges and can't communicate with external networks or the public Internet, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Functions console available at https://console.cloud.google.com/functions/ to list the Google Cloud functions deployed for the selected GCP project.

04 Click on the name (link) of the function that you want to configure, listed in the Name column.

05 Choose EDIT, expand the Runtime, build, connections and security settings configuration panel, select the CONNECTIONS tab, and perform the following actions:

  1. For Egress settings, ensure that Network is set to a serverless VPC access connector. Follow the steps outlined on this page to set up a VPC access connector.
  2. Select the Route only requests to private IPs through the VPC connector option to restrict the function's outbound traffic to internal IP ranges only.
  3. Choose NEXT and DEPLOY to apply the changes and deploy a new revision for the selected function.

06 Repeat steps no. 4 and 5 for each Google Cloud function that you want to configure, available within the selected project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Ensure that a VPC network or a serverless VPC access connector is configured for your function. Follow the steps outlined on this page to configure your VPC access connector.

02 Run functions deploy command (Windows/macOS/Linux) to redeploy your VPC-enabled function in order to prevent unrestricted outbound network access. To restrict the function's outbound traffic to internal IP ranges only, set the --egress-settings parameter to private-ranges-only, as shown in the example below: 

gcloud functions deploy cc-project5-function
	--source=gs://gcf-v2-sources-123456789012-us-central1/cc-project5-function/function-source.zip
	--region=us-central1
	--runtime=nodejs20
	--trigger-http
	--egress-settings=private-ranges-only

03 The command output should return the build information available for the redeployed function: 

buildConfig:
	automaticUpdatePolicy: {}
	build: projects/123456789012/locations/us-central1/builds/abcd1234-abcd-1234-abcd-1234abcd1234abcd
	dockerRegistry: ARTIFACT_REGISTRY
	dockerRepository: projects/cc-bigdata-project-123123/locations/us-central1/repositories/gcf-artifacts
	entryPoint: run-app
	runtime: nodejs20
	source:
	storageSource:
		bucket: gcf-v2-sources-123456789012-us-central1
		generation: '1730285369954566'
		object: cc-project5-function/function-source.zip
	sourceProvenance:
	resolvedStorageSource:
		bucket: gcf-v2-sources-123456789012-us-central1
		generation: '1730285369954566'
		object: cc-project5-function/function-source.zip
createTime: '2024-10-28T09:49:12.051881848Z'
environment: GEN_2
labels:
	deployment-tool: console-cloud
name: projects/cc-bigdata-project-123123/locations/us-central1/functions/cc-project5-function
serviceConfig:
	allTrafficOnLatestRevision: true
	availableCpu: 167m
	availableMemory: 256Mi
	environmentVariables:
	LOG_EXECUTION_ID: 'true'
	ingressSettings: ALLOW_ALL
	minInstanceCount: 3
	maxInstanceCount: 10
	maxInstanceRequestConcurrency: 1
	revision: cc-project5-function-00003-abc
	service: projects/cc-bigdata-project-123123/locations/us-central1/services/cc-project5-function
	serviceAccountEmail: 123456789012-compute@developer.gserviceaccount.com
	timeoutSeconds: 60
	uri: https://cc-project5-function-abcd1234abcd-uc.a.run.app
state: ACTIVE
updateTime: '2024-10-28T10:50:15.176254527Z'
url: https://us-central1-cc-bigdata-project-123123.cloudfunctions.net/cc-project5-function

04 Repeat steps no. 1 - 3 for each Google Cloud function that you want to configure, available in the selected project.

05 Repeat steps no. 1 – 4 for each GCP project deployed in your Google Cloud account.

References

Publication date Nov 21, 2024

Related CloudFunction rules