Check for Virtual Machine Instances with Public IP Addresses

Risk Level: High (not acceptable risk)

Rule ID: ComputeEngine-001

Ensure that your Google Compute Engine instances are not configured to have external IP addresses in order to minimize their exposure to the Internet.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

To reduce attack surface, Google Cloud virtual machine (VM) instances should not have public IP addresses attached. Instead, VM instances should be configured to run behind load balancers.

Note: VM Instances created by Google Kubernetes Engine (GKE) should be excluded as some of these instances have external IP addresses and cannot be reconfigured by editing the instance settings. The instances provisioned by GKE service have names that start with "gke-" and are labeled "goog-gke-node".

Audit

To determine if your Google Cloud virtual machine (VM) instances are configured to use public/external IP addresses, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Choose the virtual machine (VM) instance that you want to examine and check the value available in the External IP column. If the External IP value is set to an IPv4 address, the selected Google Compute Engine instance is configured to use a public/external IP address.

06 Repeat step no. 5 for each virtual machine (VM) instance provisioned for the selected project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-legacy-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-production-instance    us-central1-a
cc-staging-vm-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the access configuration for the network interface(s) attached to the selected instance:

gcloud compute instances describe cc-production-instance
	--zone us-central1-a
	--format="json(networkInterfaces[].accessConfigs)"

06 The command output should return the requested configuration information:

{
  "networkInterfaces": [
    {
      "accessConfigs": [
        {
          "kind": "compute#accessConfig",
          "name": "External NAT",
          "natIP": "xxx.xxx.xxx.xxx",
          "networkTier": "PREMIUM",
          "type": "ONE_TO_ONE_NAT"
        }
      ]
    }
  ]
}

If the compute instances describe command output returns one or more accessConfigs objects with an natIP property, as shown in the example above, the selected Google Compute Engine instance is configured to use a public/external IP address. For Google Cloud instances that are stopped and configured to have an ephemeral public IP address, the accessConfigs object exists but the natIP property is not present.

07 Repeat step no. 5 and 6 for each virtual machine instance created within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To remove the public (external) IP address from your Google Compute Engine instances, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the VM instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure.

06 On the selected resource configuration page, click EDIT to enter the edit mode.

07 Under Network interfaces, choose the network interface (NIC) that you want to reconfigure, click on the NIC's edit button to enter the edit mode, select None from the External IP dropdown list and click Done to disable public IP access for the selected Google Compute Engine instance. IMPORTANT: Removing the external IP address from a virtual machine (VM) instance may cause some applications to stop working.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 to remove the public (external) IP address for other VM instances created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances describe command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to reconfigure as identifier parameter, to delete the access configuration set for the instance network interface (see Audit section part II, step no. 6, to identify the name of the required access configuration), in order to disable public IP access for the selected Google Compute Engine instance. IMPORTANT: Removing the external IP address from a VM instance may cause some applications to stop working:

gcloud compute instances delete-access-config cc-production-instance
	--zone us-central1-a
	--access-config-name "External NAT"

02 The command output should return the URL of the reconfigured Google Cloud VM instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-production-instance].

03 Repeat step no. 1 and 2 to remove the public (external) IP address for other VM instances available within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Backend services overview
Connecting to VMs using advanced methods
Connecting to VMs
Reserving a static external IP address

CIS Security Documentation
Securing Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute instances list
gcloud compute instances describe
gcloud compute instances delete-access-config

Publication date Apr 12, 2021

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules