Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Private Google Access with Cloud NAT

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Private Google Access is enabled for the VPC subnets associated with your Cloud NAT gateways that require access to Google Cloud services, in order to enhance security by avoiding exposure to the public Internet.

Security

The Private Google Access feature allows virtual machine (VM) instances in the VPC subnets associated with Cloud NAT gateways to connect to Google APIs and services without requiring public IP addresses. This is useful for scenarios where you want to keep your VM instances private but still need them to access Internet resources for updates, patching, and other management tasks.

Audit

To determine if the Private Google Access feature is enabled for the VPC subnets configured for your Cloud NAT gateways, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to examine, listed in the Gateway name column.

05 Select the DETAILS tab to view the configuration information available for the selected NAT gateway.

06 In the Cloud NAT mapping section, click on the name (link) of the VPC subnet associated with your NAT gateway, listed next to Source subnets & IP ranges.

07 On the Subnet details page, check the Private Google Access attribute value to determine the Private Google Access feature status for the selected subnet. If Private Google Access is set to Off, Private Google Access is disabled for the selected NAT-enabled VPC subnet.

08 Repeat steps no. 6 and 7 for each VPC subnet associated with the selected Cloud NAT gateway.

09 Repeat steps no. 4 - 8 for each Cloud NAT gateway created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run compute networks list command (Windows/macOS/Linux) with custom output filters to list the name of each VPC network created for the selected GCP project: 

gcloud compute networks list
	--project=cc-project5-123123
	--format="value(name)"

04 The command output should return the requested VPC network names: 

cc-project5-network
cc-custom-vpc-network

05 Run compute routers list command (Windows/macOS/Linux) to describe the name of the Compute Engine router (also known as Cloud Router) created for the specified VPC network. Cloud NAT uses Cloud Routers to group NAT configuration information: 

gcloud compute routers list
	--project=cc-project5-123123
	--filter="network:(cc-project5-network)"
	--format="value(name)"

06 The command output should return the name of the requested Cloud Router: 

cc-project5-nat-router

07 Run compute routers nats list command (Windows/macOS/Linux) to describe the Cloud NAT gateways deployed for the specified Cloud Router, in the selected VPC network: 

gcloud compute routers nats list
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(name)"

08 The command output should return the name of each NAT gateway deployed for your router: 

cc-project5-nat-gateway
cc-web-platfom-nat-gateway

09 Run compute routers nats describe command (Windows/macOS/Linux) to describe the VPC subnets configured for the selected Cloud NAT gateway: 

gcloud compute routers nats describe cc-project5-nat-gateway
	--region=us-central1
	--router=cc-project5-nat-router
	--format="value(subnetworks[].name)"

10 The command output should return the URIs of the associated VPC subnets. If the compute routers nats describe command does not produce an output, there are no VPC subnets configured for the selected NAT gateway: 

https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-001
https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-002
https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-003

11 Run compute networks subnets describe command (Windows/macOS/Linux) with custom output filters to describe the Private Google Access feature status for the specified VPC network: 

gcloud compute networks subnets describe https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-001
	--format="value(privateIpGoogleAccess)"

12 The command output should return the requested feature status (True for enabled, False for disabled): 

False

If the compute networks subnets describe command output returns False, as shown in the example above, Private Google Access is disabled for the selected NAT-enabled VPC subnet.

13 Repeat steps no. 11 and 12 for each VPC subnet associated with the selected Cloud NAT gateway.

14 Repeat steps no. 9 - 13 for each NAT gateway deployed for the selected GCP project.

15 Repeat steps no. 3 – 14 for each GCP project available in your Google Cloud account.

Remediation / Resolution

Private Google Access allows VM instances without external IPs to reach Google Cloud services and APIs securely without traversing the Internet. To enable Private Google Access for the VPC subnets associated with your Cloud NAT gateways, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud NAT console available at https://console.cloud.google.com/net-services/nat.

04 Click on the name (link) of the Cloud NAT gateway that you want to configure, listed in the Gateway name column.

05 Select the DETAILS tab to view the configuration information available for the selected NAT gateway.

06 In the Cloud NAT mapping section, click on the name (link) of the VPC subnet associated with your NAT gateway, listed next to Source subnets & IP ranges.

07 On the Subnet details page, select EDIT, set Private Google Access to On, and choose SAVE to apply the changes. This will enable the Private Google Access feature for the selected VPC subnet.

08 Repeat steps no. 6 and 7 for each VPC subnet associated with the selected Cloud NAT gateway.

09 Repeat steps no. 4 - 8 for each Cloud NAT gateway that you want to configure, available within the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run compute networks subnets describe command (Windows/macOS/Linux) to activate Private Google Access for the specified NAT-enabled VPC subnet: 

gcloud compute networks subnets update https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-001
	--enable-private-ip-google-access

02 The command output should return the operation status: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-123123/regions/us-central1/subnetworks/cc-project5-subnet-001].

03 Repeat steps no. 1 and 2 for each VPC subnet associated with the selected Cloud NAT gateway.

04 Repeat steps no. 1 - 3 for each Cloud NAT gateway that you want to configure, created in the selected GCP project.

05 Repeat steps no. 1 – 4 for each GCP project available in your Google Cloud account.

References

Publication date Dec 16, 2024

Related CloudNAT rules