Instance templates should not assign a public IP address

Risk Level: High (not acceptable risk)

Ensure that Compute Engine instance templates are not configured to assign a static, public IP address to virtual machine (VM) instances launched using the templates in order to receive an ephemeral IP address assigned automatically by Google Cloud.

Security

When you create an instance template, you can choose whether or not to assign a static, external IP address to your VM instances. Choosing not to assign a static IP address for an instance template in Google Cloud offers several advantages, including increased IP address availability, flexibility, cost savings, and dynamic routing capabilities. Therefore, it is advisable not to assign public IP addresses to the new instances and instead allow them to receive ephemeral internal IP addresses assigned by the network. This approach ensures optimal resource utilization and adaptability in your Google Cloud environment.

Audit

To determine if your instance templates are configured to assign a public IP address for VM instances, perform the following operations:

Checking the type of the external IP configured for an instance template via Google Cloud CLI (gcloud CLI) is not supported.

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute and choose Instance templates.

04 Click on the name (link) of the instance template that you want to examine.

05 In the Networking section, examine each active network interface attached to the instance template, listed under Network interfaces. Check the value available in the External IP address column for each attached network interface. If External IP address is not set to Ephemeral, the selected Compute Engine instance template is configured to assign a static, public IP address to your virtual machine (VM) instances.

06 Repeat steps no. 4 and 5 for each instance template available within the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Compute Engine instance templates are not configured to assign a static, public IP address to VM instances, you must re-create your instance templates with the appropriate network configuration. To deploy a new instance template, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute and choose Instance templates.

04 Choose CREATE INSTANCE TEMPLATE and follow the setup wizard to configure the required settings for the new instance template.

05 Choose Advanced options, select Networking, and click on the default network interface listed in the Network interfaces section to edit the resource settings.

06 For External IPv4 address choose Ephemeral to configure the network interface to assign an ephemeral IP address to each VM instance provisioned using the instance template. Choose DONE to apply the changes.

07 Once all the required settings are configured, choose CREATE to provision your new Compute Engine instance template.

08 Repeat steps no. 4 – 7 for each non-compliant instance template that you want to re-create, deployed for the selected GCP project.

09 Repeat steps no. 2 – 8 for each project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123 
cc-bigdata-project-112233

03 Run compute instance-groups managed create command (Windows/macOS/Linux) to create a new Compute Engine instance template for the selected GCP project. Specifying an empty string for the external IP address in the --network-interface parameter (i.e. --network-interface=address="") will configure the new instance template to assign an ephemeral IP address to each provisioned VM instance:

gcloud compute instance-templates create cc-new-web-instance-template
  --project=cc-project5-stack-123123
  --machine-type=e2-medium
  --provisioning-model=STANDARD
  --shielded-vtpm
  --shielded-integrity-monitoring
  --reservation-affinity=any
  --network-interface=network=default,network-tier=PREMIUM,address=""

04 The command output should return the configuration information for the new instance template:

NAME: cc-new-web-instance-template
MACHINE_TYPE: e2-medium
PREEMPTIBLE: 
CREATION_TIMESTAMP: 2023-05-10T10:50:13.019-07:00

05 Repeat steps no. 3 and 4 for each non-compliant instance template that you want to re-create, available within the selected GCP project.

06 Repeat steps no. 1 – 4 for each project deployed in your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Instance templates
Create instance templates
IP addresses
Reserve a static external IP address

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instance-templates create

Publication date May 25, 2023

Audit

Using GCP Console

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudStorage rules