Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Limit NAT to Specific Subnets Only

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Cloud NAT gateways are mapped only to specific VPC subnets to maintain controlled and secure outbound Internet access, minimize unintended traffic exposure, and optimize resource usage within your network design. This promotes network isolation and ensures adherence to your organization's stringent compliance requirements. The VPC subnets authorized to use Cloud NAT must be defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

Security

Limiting Cloud NAT gateways to specific VPC subnets enhances security by restricting Internet access to only necessary resources. This prevents unauthorized outbound traffic and reduces the attack surface. Additionally, it optimizes resource utilization and cost-efficiency by allocating NAT gateway capacity based on subnet-specific needs.

Audit

To determine if your Google Cloud NAT gateways are mapped to specific, compliant VPC subnets only, perform the following operations:

Using GCP Console

01 Sign in to your Trend Cloud One™ account to access the Limit NAT to Specific Subnets Only rule settings and identify the VPC subnets authorized to use Cloud NAT.

02 Sign in to the Google Cloud Management Console.

03 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

04 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

05 Click on the name (link) of the Cloud NAT gateway that you want to examine, listed in the Gateway name column.

06 Select the DETAILS tab to view the configuration information available for the selected NAT gateway.

07 In the Cloud NAT mapping section, check the VPC subnets associated with your NAT gateway, listed next to Source subnets & IP ranges. If any subnets mapped to your gateway are not defined in the conformity rule settings (identified in step 1), the selected Cloud NAT gateway is not limited to specific VPC subnets. Consequently, your Cloud NAT configuration is not compliant.

08 Repeat steps no. 5 - 7 for each Cloud NAT gateway created for the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Sign in to your Trend Cloud One™ account to access the Limit NAT to Specific Subnets Only rule settings and identify the VPC subnets authorized to use Cloud NAT.

02 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

03 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

04 Run compute networks list command (Windows/macOS/Linux) with custom output filters to list the name of each VPC network created for the selected GCP project: 

gcloud compute networks list
	--project=cc-project5-123123
	--format="value(name)"

05 The command output should return the requested VPC network names: 

cc-project5-network
cc-custom-vpc-network

06 Run compute routers list command (Windows/macOS/Linux) to describe the name of the Compute Engine router (also known as Cloud Router) created for the specified VPC network. Cloud NAT uses Cloud Routers to group NAT configuration information: 

gcloud compute routers list
	--project=cc-project5-123123
	--filter="network:(cc-project5-network)"
	--format="value(name)"

07 The command output should return the name of the requested Cloud Router: 

cc-project5-nat-router

08 Run compute routers nats list command (Windows/macOS/Linux) to describe the Cloud NAT gateways deployed for the specified Cloud Router, in the selected VPC network: 

gcloud compute routers nats list
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(name)"

09 The command output should return the name of each NAT gateway deployed for your router: 

cc-project5-nat-gateway
cc-web-platfom-nat-gateway

10 Run compute routers nats describe command (Windows/macOS/Linux) to describe the VPC subnets configured for the selected Cloud NAT gateway: 

gcloud compute routers nats describe cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--format="default(subnetworks)"

11 The command output should return the URIs of the associated VPC subnets: 

- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-003
	sourceIpRangesToNat:
	- ALL_IP_RANGES

- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-004
	sourceIpRangesToNat:
	- ALL_IP_RANGES

- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-005
	sourceIpRangesToNat:
	- ALL_IP_RANGES

- name: https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-008
	sourceIpRangesToNat:
	- ALL_IP_RANGES

Check the compute routers nats describe command output to identify the VPC subnets associated with your NAT gateway. If one or more VPC subnets mapped to your gateway are not defined in the conformity rule settings identified in step 1, the selected Cloud NAT gateway is not limited to specific subnets. Consequently, your Cloud NAT configuration is not compliant.

12 Repeat steps no. 10 - 11 for each NAT gateway deployed for the selected GCP project.

13 Repeat steps no. 3 – 12 for each GCP project available in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud NAT gateways are mapped to specific, compliant VPC subnets only, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to configure, listed in the Gateway name column.

05 Select EDIT to modify the Cloud NAT resource configuration.

06 In the Cloud NAT mapping section, perform the following actions:

  1. To remove a non-compliant VPC subnet from your Cloud NAT gateway configuration, locate the subnet in the Subnets list and click on the Delete item button (i.e., bin icon) next to it.
  2. (Optional) To add an authorized, compliant VPC subnet from your Cloud NAT gateway configuration, choose ADD SUBNET AND IP RANGE and select the appropriate subnet and IP range(s). The selected VPC subnet must be defined in the conformity rule settings, in your Trend Cloud One™ – Conformity account.

07 Choose SAVE to apply the configuration changes.

08 Repeat steps no. 4 - 7 for each Cloud NAT gateway that you want to configure, available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute routers nats update command (Windows/macOS/Linux) to update the list of VPC subnets allowed to use the selected Cloud NAT gateway. The --nat-custom-subnet-ip-ranges parameter defines the authorized and compliant VPC subnets. Any subnets not specified in --nat-custom-subnet-ip-ranges will be removed from your NAT gateway configuration: 

gcloud compute routers nats update cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--nat-custom-subnet-ip-ranges=cc-project5-subnet-003:ALL,cc-project5-subnet-004:ALL,cc-project5-subnet-005:ALL

02 The command output should return the operation status: 

Updating nat [cc-project5-nat-gateway] in router [cc-project5-nat-router]...done.

03 Repeat steps no. 1 and 2 for each Cloud NAT gateway that you want to configure, created in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project available in your Google Cloud account.

References

Publication date Dec 16, 2024

Related CloudNAT rules