- Knowledge Base
- Google Cloud Platform
- GCP Compute Engine
- Compute Instances with Multiple Network Interfaces
Ensure that your Compute Engine VM instance are not using multiple network interfaces in order to prevent network security complications, unwanted network paths, and increased management complexity. Virtual machine (VM) instances should have the minimum network connectivity needed for their intended purpose.
Security 
Operationalexcellence
Costoptimisation
While multiple network interfaces offer flexibility for complex network configurations, consider the trade-off between their benefits and the added complexity they introduce. Often, a single network interface with proper routing within the VPC network can suffice, providing a simpler and more reliable solution.
Audit
To determine if your Compute Engine VM instances use multiple network interfaces, perform the following operations:
Using GCP Console
01 Sign in to Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.
03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.
04 In the navigation panel, choose VM instances, and select the INSTANCES tab to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.
05 Click on the name (link) of the VM instance that you want to examine.
06 Select the DETAILS tab to access the configuration details available for selected instance.
07 Check the number of network interfaces listed in the Network interfaces section. If there are two or more network interfaces available in this section, the selected virtual machine (VM) instance is configured with multiple network interfaces.
08 Repeat step no. 5 – 7 for each virtual machine (VM) instance available within the selected GCP project.
09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.
Using GCP CLI
01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:
gcloud projects list --format="table(projectId)"
02 The command output should return the requested GCP project IDs:
PROJECT_ID cc-web-stack-project-123123 cc-internal-app-project-112233
03 Run compute instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project:
gcloud compute instances list --project cc-web-stack-project-123123 --format="table(name,zone)"
04 The command output should return the name(s) of the instance(s) within the selected GCP project:
NAME ZONE cc-backend-vm-instance us-central1-a cc-production-instance us-central1-a
05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as the identifier parameters and custom filtering to describe the name of each network interface associated with the selected instance:
gcloud compute instances describe cc-backend-vm-instance --zone us-central1-a --format="table(networkInterfaces.name)"
06 The command output should return an array with the network interface name(s):
NAME: ['nic0', 'nic1']
If the compute instances describe command output returns an array with two or more network interfaces, as shown in the example above, the selected virtual machine (VM) instance is configured with multiple network interfaces.
07 Repeat steps no. 5 and 6 for each virtual machine (VM) instance provisioned within the selected project.
08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.
Remediation / Resolution
To ensure that your virtual machine (VM) instances are not using multiple network interfaces, you have to re-create your VM instances with the appropriate networking configuration. To relaunch your instances, perform the following operations:
Using GCP Console
01 Sign in to Google Cloud Management Console.
02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.
03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.
04 In the navigation panel, choose VM instances, and select the INSTANCES tab to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.
05 Choose the VM instance with multiple network interfaces that you want to re-create, click on the 3-dot button for instance menu options, and select Create new machine image to create an image from the selected instance.
06 On the Create a machine image setup page, provide a name for your new machine image in the Name box, choose the location at which to store the image and the encryption key required to encrypt the data, then choose Create to create the new virtual machine (VM) image.
07 Once the machine image is successfully created (i.e. the image status is set to Ready), click on the 3-dot button for image menu options and select Create instance to create a new VM instance from your VM image.
08 On the Create an instance setup page, perform the following actions:
- Provide a unique name for the new instance in the Name box.
- In the Machine configuration section, choose the right machine family and type (must match the configuration of the instance that you want to re-create).
- Choose Advanced options, select the Networking tab, and click on the Delete button (bin icon) available for each network interface that you want to delete. To achieve compliance, only one network interface should be configured for the new VM instance.
- Choose CREATE to launch your new virtual machine (VM) instance.
09 (Optional) To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the instance, perform the following actions:
- In the navigation panel, select VM instances.
- Choose the VM instance that you want to remove, click on the 3-dot button for instance menu options, and select Delete to initiate the removal process.
- In the removal confirmation box, select DELETE to remove the selected instance from your GCP project.
10 Repeat steps no. 5 – 9 for each non-compliant VM instance that you want to relaunch, available for the selected project.
11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.
Using GCP CLI
01 Run compute instances describe command (Windows/macOS/Linux) with the name of the virtual machine (VM) instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected instance:
gcloud compute instances describe cc-backend-vm-instance --zone us-central1-a
02 The command output should return the requested configuration information. This data will be used later to redeploy the selected instance:
cpuPlatform: Intel Haswell deletionProtection: false displayDevice: enableDisplay: false networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: xxx.xxx.xxx.xxx networkTier: PREMIUM type: ONE_TO_ONE_NAT kind: compute#networkInterface name: nic0 network: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/networks/default networkIP: 10.128.0.10 stackType: IPV4_ONLY subnetwork: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/regions/us-central1/subnetworks/default ... - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: xxx.xxx.xxx.xxx networkTier: PREMIUM type: ONE_TO_ONE_NAT kind: compute#networkInterface name: nic1 network: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/networks/cc-custom-vpc networkIP: 10.0.0.2 stackType: IPV4_ONLY subnetwork: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/regions/us-central1/subnetworks/tm-central kind: compute#instance machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8 name: cc-backend-vm-instance enableIntegrityMonitoring: true enableSecureBoot: false enableVtpm: true
03 Run compute images create command (Windows/macOS/Linux) to create a machine image from the Google Compute Engine instance that you want to re-create. Include the --force flag to create the image from a running instance:
gcloud compute images create cc-backend-vm-instance-image --source-disk cc-backend-vm-instance --source-disk-zone us-central1-a --storage-location us-central1 --force
04 The command output should return the metadata for the newly created machine image:
Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-backend-vm-instance-image]. NAME PROJECT FAMILY DEPRECATED STATUS cc-backend-vm-instance-image cc-web-stack-project-123123 READY
05 Run compute instances create command (Windows/macOS/Linux) with the name of the machine image created at the previous steps and the configuration details returned at step no. 2 as the configuration parameters, to create a new virtual machine (VM) instance from the selected image. For example, the following command creates a new VM instance with only one network interface, specified by the --network-interface parameter:
gcloud compute instances create cc-new-backend-instance --image-project=cc-web-stack-project-123123 --image=cc-backend-vm-instance-image --zone=us-central1-a --machine-type=n1-standard-8 --network-interface network=cc-custom-vpc,subnet=subnet-central,private-network-ip=10.0.0.1,no-address
06 The command output should return the information available for the new VM instance:
Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-new-backend-instance]. NAME ZONE MACHINE_TYPE INTERNAL_IP EXTERNAL_IP STATUS cc-new-production-instance us-central1-a n1-standard-8 10.128.0.10 xxx.xxx.xxx.xxx RUNNING
07 (Optional) To avoid extra charges on your monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the instance, run compute instances delete command (Windows/macOS/Linux) with the name of the source (non-compliant) instance that you want to remove as the identifier parameter, to remove the selected compute resource from your project:
gcloud compute instances delete cc-backend-vm-instance --zone us-central1-a
08 Type Y and press Enter at the command prompt to confirm the resource removal:
The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost. - [cc-backend-vm-instance] in [us-central1-a] Do you want to continue (Y/n)? Y
09 The command output should return the URL of the deleted VM instance:
Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].
10 Repeat steps no. 1 – 9 for each non-compliant VM instance that you want to relaunch, available in the selected project.
11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.
References
- Google Cloud Platform (GCP) Documentation
- Create VMs with multiple network interfaces
- Create and start a VM instance
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud compute instances list
- gcloud compute instances describe
- gcloud compute disks list
- gcloud compute disks describe
- gcloud compute instances delete
Related ComputeEngine rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Compute Instances with Multiple Network Interfaces
Risk Level: Medium