Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Disable IP Forwarding for Virtual Machine Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: ComputeEngine-004

Ensure that IP Forwarding feature is not enabled at the Google Compute Engine instance level for security and compliance reasons, as instances with IP Forwarding enabled act as routers/packet forwarders.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

When the IP Forwarding feature is enabled on a virtual machine's network interface (NIC), it allows the VM to act as a router and receive traffic addressed to other destinations. Because IP forwarding is rarely required, except when the virtual machine (VM) is used as a network virtual appliance, each Google Cloud VM instance should be reviewed in order to decide whether the IP forwarding is really needed for the verified instance.

Note: IP Forwarding is enabled at the VM instance level and applies to all network interfaces (NICs) attached to the instance.

In addition, Instances created by GKE should be excluded from this recommendation because they need to have IP forwarding enabled and cannot be changed. Instances created by GKE have names that start with "gke- ".

Audit

To determine if IP Forwarding is enabled for your Google Cloud VM instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the configuration details available for selected instance.

07 In the Network interfaces section, check the IP forwarding configuration status for every network interface listed. If one or more network interfaces have the IP forwarding set to On, the IP Forwarding feature is enabled for the selected Google Compute Engine instance.

08 Repeat step no. 5 – 7 for each virtual machine (VM) instance created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-production-instance    us-central1-a
cc-backend-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameters and custom filtering to describe the configuration status of the IP Forwarding feature for the selected instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="table(canIpForward)"

06 The command output should return the requested configuration information: 

CAN_IP_FORWARD
True

If the compute instances describe command output returns True for CAN_IP_FORWARD attribute, as shown in the example above, the IP Forwarding feature is enabled for the selected Google Compute Engine instance.

07 Repeat step no. 5 and 6 for each virtual machine instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

Disabling IP Forwarding for your existing Google Cloud virtual machine (VM) instances is not supported. To turn off the feature, you have to re-create your VM instances with the appropriate networking configuration, by performing the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Choose the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right resource), then click on the 3-dot button for instance menu options and select Create new machine image to create an image from the selected instance.

06 On the Create a machine image page, provide a name for your new machine image in the Name box, choose the location at which to store the image and the encryption key required to encrypt the data, then click Create to create the new virtual machine (VM) image.

07 Once the machine image is successfully created (i.e. the status is set to Ready), click on the 3-dot button for image menu options and select Create instance to create a virtual machine from the newly created image.

08 On the Create an instance page, perform the following:

  1. Provide a unique name for the new instance in the Name box.
  2. In the Machine configuration section, choose the right machine family and type (must match the configuration of the instance that you want to re-create).
  3. Click on the NETWORKING, DISKS, SECURITY, MANAGEMENT, SOLE-TENANCY, select the Networking tab, click on the network interface's edit button to enter the edit mode, and select Off from the IP forwarding dropdown list to disable the IP Forwarding feature for the new Google Compute Engine instance.
  4. Click Create to launch your new VM instance.

09 To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, perform the following: IMPORTANT: Deleting Google Cloud VM instances that are acting as routers/packet forwarders may break the network connectivity for some of your applications.

  1. In the navigation panel, select VM instances.
  2. Choose the VM instance that you want to remove, then click on the 3-dot button for instance menu options and select Delete to initiate the removal process.
  3. Within the Delete an instance confirmation box, select DELETE to confirm the action and remove the selected instance from your project.

10 Repeat steps no. 5 – 9 to disable IP Forwarding for other virtual machine instances created for the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances describe command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to describe the configuration metadata available for the selected instance: 

gcloud compute instances describe cc-production-instance
	--zone us-central1-a

02 The command output should return the requested configuration information. This data will be used later to re-create the selected instance: 

cpuPlatform: Intel Haswell
deletionProtection: false
disks:
- autoDelete: true
  boot: true
  deviceName: cc-production-instance
  diskSizeGb: '100'
  guestOsFeatures:
  - type: VIRTIO_SCSI_MULTIQUEUE
  - type: UEFI_COMPATIBLE
  interface: SCSI
  kind: compute#attachedDisk
  mode: READ_WRITE
  source: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/disks/cc-production-instance
  type: PERSISTENT
displayDevice:
  enableDisplay: false
networkInterfaces:
- fingerprint: FINGERPRINT
  kind: compute#networkInterface
  name: nic0
  network: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/networks/cc-vpc
  networkIP: 127.0.0.1
  stackType: IPV4_ONLY
  subnetwork: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/regions/us-central1/subnetworks/cc-web-stack-network-01
...

kind: compute#instance
machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
name: cc-production-instance
  enableIntegrityMonitoring: true
  enableSecureBoot: false
  enableVtpm: true
shieldedInstanceIntegrityPolicy:
  updateAutoLearnPolicy: true
startRestricted: false
status: RUNNING
tags:
  items:
  - http-server
  - https-server
zone: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a

03 Run compute images create command (Windows/macOS/Linux) to create a machine image from the Google Compute Engine instance that you want to re-create. Include the --force flag to create the image from a running instance (by default, you cannot create images from running VM instances): 

gcloud compute images create cc-production-instance-image
	--source-disk cc-production-instance
	--source-disk-zone us-central1-a
	--storage-location us-central1
	--force

04 The command output should return the metadata for the newly created machine image: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-production-instance-image].

NAME                          PROJECT                     FAMILY  DEPRECATED  STATUS
cc-production-instance-image  cc-web-stack-project-123123                     READY

05 Run compute instances create command (Windows/macOS/Linux) using the name of the machine image created at the previous steps and the configuration details returned at step no. 2 as configuration parameters, to create a new Google Compute Engine instance from the selected image. Make sure that you avoid adding --can-ip-forward configuration parameter to the command request in order to disable IP Forwarding for the new instance: 

gcloud compute instances create cc-new-production-instance
	--image-project=cc-web-stack-project-123123
	--image=cc-production-instance-image
	--zone=us-central1-a
	--machine-type=n1-standard-8
	--network-interface=subnet=cc-web-stack-network-01

06 The command output should return the metadata available for the new VM instance: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-new-production-instance].

NAME                        ZONE           MACHINE_TYPE   INTERNAL_IP  EXTERNAL_IP      STATUS
cc-new-production-instance  us-central1-a  n1-standard-8  10.128.0.5   xxx.xxx.xxx.xxx  RUNNING

07 To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the required instance, run compute instances delete command (Windows/macOS/Linux) using the name of the source (non-compliant) instance that you want to remove as identifier parameter, to remove the selected resource from your GCP project: 

gcloud compute instances delete cc-production-instance
	--zone us-central1-a

08 Press Y at the command prompt to confirm the resource removal: IMPORTANT: Deleting Google Cloud VM instances that are acting as routers/packet forwarders may break your network connectivity. 

The following instances will be deleted. Any attached disks configured
 to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
 for keeping. Deleting a disk is irreversible and any data on the disk
 will be lost.
 - [cc-production-instance] in [us-central1-a]
Do you want to continue (Y/n)?

09 The command output should return the URL of the deleted VM instance: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

10 Repeat steps no. 1 – 9 to disable IP Forwarding for other virtual machine instances available within the selected project.

11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.

References

Publication date Apr 12, 2021

Related ComputeEngine rules