Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Compute Instances with Multiple Network Interfaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Compute Engine VM instance are not using multiple network interfaces in order to prevent network security complications, unwanted network paths, and increased management complexity. Virtual machine (VM) instances should have the minimum network connectivity needed for their intended purpose.

Security
Operational
excellence
Cost
optimisation

While multiple network interfaces offer flexibility for complex network configurations, consider the trade-off between their benefits and the added complexity they introduce. Often, a single network interface with proper routing within the VPC network can suffice, providing a simpler and more reliable solution.

Audit

To determine if your Compute Engine VM instances use multiple network interfaces, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.

04 In the navigation panel, choose VM instances, and select the INSTANCES tab to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

05 Click on the name (link) of the VM instance that you want to examine.

06 Select the DETAILS tab to access the configuration details available for selected instance.

07 Check the number of network interfaces listed in the Network interfaces section. If there are two or more network interfaces available in this section, the selected virtual machine (VM) instance is configured with multiple network interfaces.

08 Repeat step no. 5 – 7 for each virtual machine (VM) instance available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-internal-app-project-112233

03 Run compute instances list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and zone for each VM instance launched for the selected project: 

gcloud compute instances list
  --project cc-web-stack-project-123123
  --format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-backend-vm-instance    us-central1-a
cc-production-instance    us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as the identifier parameters and custom filtering to describe the name of each network interface associated with the selected instance: 

gcloud compute instances describe cc-backend-vm-instance 
  --zone us-central1-a 
  --format="table(networkInterfaces.name)"

06 The command output should return an array with the network interface name(s): 

NAME: ['nic0', 'nic1']

If the compute instances describe command output returns an array with two or more network interfaces, as shown in the example above, the selected virtual machine (VM) instance is configured with multiple network interfaces.

07 Repeat steps no. 5 and 6 for each virtual machine (VM) instance provisioned within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your virtual machine (VM) instances are not using multiple network interfaces, you have to re-create your VM instances with the appropriate networking configuration. To relaunch your instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute.

04 In the navigation panel, choose VM instances, and select the INSTANCES tab to access the list of the virtual machine (VM) instances provisioned for the selected GCP project.

05 Choose the VM instance with multiple network interfaces that you want to re-create, click on the 3-dot button for instance menu options, and select Create new machine image to create an image from the selected instance.

06 On the Create a machine image setup page, provide a name for your new machine image in the Name box, choose the location at which to store the image and the encryption key required to encrypt the data, then choose Create to create the new virtual machine (VM) image.

07 Once the machine image is successfully created (i.e. the image status is set to Ready), click on the 3-dot button for image menu options and select Create instance to create a new VM instance from your VM image.

08 On the Create an instance setup page, perform the following actions:

  1. Provide a unique name for the new instance in the Name box.
  2. In the Machine configuration section, choose the right machine family and type (must match the configuration of the instance that you want to re-create).
  3. Choose Advanced options, select the Networking tab, and click on the Delete button (bin icon) available for each network interface that you want to delete. To achieve compliance, only one network interface should be configured for the new VM instance.
  4. Choose CREATE to launch your new virtual machine (VM) instance.

09 (Optional) To avoid extra charges on your Google Cloud monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the instance, perform the following actions:

  1. In the navigation panel, select VM instances.
  2. Choose the VM instance that you want to remove, click on the 3-dot button for instance menu options, and select Delete to initiate the removal process.
  3. In the removal confirmation box, select DELETE to remove the selected instance from your GCP project.

10 Repeat steps no. 5 – 9 for each non-compliant VM instance that you want to relaunch, available for the selected project.

11 Repeat steps no. 2 – 10 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run compute instances describe command (Windows/macOS/Linux) with the name of the virtual machine (VM) instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected instance: 

gcloud compute instances describe cc-backend-vm-instance 
  --zone us-central1-a

02 The command output should return the requested configuration information. This data will be used later to redeploy the selected instance: 

cpuPlatform: Intel Haswell
	deletionProtection: false
	displayDevice:
		enableDisplay: false
	networkInterfaces:
	- accessConfigs:
		- kind: compute#accessConfig
			name: External NAT
			natIP: xxx.xxx.xxx.xxx
			networkTier: PREMIUM
			type: ONE_TO_ONE_NAT
		kind: compute#networkInterface
		name: nic0
		network: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/networks/default
		networkIP: 10.128.0.10
		stackType: IPV4_ONLY
		subnetwork: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/regions/us-central1/subnetworks/default

	...

	- accessConfigs:
		- kind: compute#accessConfig
			name: External NAT
			natIP: xxx.xxx.xxx.xxx
			networkTier: PREMIUM
			type: ONE_TO_ONE_NAT
		kind: compute#networkInterface
		name: nic1
		network: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/networks/cc-custom-vpc
		networkIP: 10.0.0.2
		stackType: IPV4_ONLY
		subnetwork: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/regions/us-central1/subnetworks/tm-central
		kind: compute#instance
		machineType: https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/machineTypes/n1-standard-8
		name: cc-backend-vm-instance
			enableIntegrityMonitoring: true
			enableSecureBoot: false
			enableVtpm: true

03 Run compute images create command (Windows/macOS/Linux) to create a machine image from the Google Compute Engine instance that you want to re-create. Include the --force flag to create the image from a running instance: 

gcloud compute images create cc-backend-vm-instance-image
  --source-disk cc-backend-vm-instance
  --source-disk-zone us-central1-a
  --storage-location us-central1
  --force

04 The command output should return the metadata for the newly created machine image: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/global/images/cc-backend-vm-instance-image].

NAME                          PROJECT                     FAMILY  DEPRECATED  STATUS
cc-backend-vm-instance-image  cc-web-stack-project-123123                     READY

05 Run compute instances create command (Windows/macOS/Linux) with the name of the machine image created at the previous steps and the configuration details returned at step no. 2 as the configuration parameters, to create a new virtual machine (VM) instance from the selected image. For example, the following command creates a new VM instance with only one network interface, specified by the --network-interface parameter: 

gcloud compute instances create cc-new-backend-instance 
  --image-project=cc-web-stack-project-123123 
  --image=cc-backend-vm-instance-image 
  --zone=us-central1-a 
  --machine-type=n1-standard-8 
  --network-interface network=cc-custom-vpc,subnet=subnet-central,private-network-ip=10.0.0.1,no-address

06 The command output should return the information available for the new VM instance: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-new-backend-instance].

NAME                        ZONE           MACHINE_TYPE   INTERNAL_IP  EXTERNAL_IP      STATUS
cc-new-production-instance  us-central1-a  n1-standard-8  10.128.0.10   xxx.xxx.xxx.xxx  RUNNING

07 (Optional) To avoid extra charges on your monthly bill, you can remove the source (non-compliant) instance from your GCP project. To remove the instance, run compute instances delete command (Windows/macOS/Linux) with the name of the source (non-compliant) instance that you want to remove as the identifier parameter, to remove the selected compute resource from your project: 

gcloud compute instances delete cc-backend-vm-instance
  --zone us-central1-a

08 Type Y and press Enter at the command prompt to confirm the resource removal: 

The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost.

	- [cc-backend-vm-instance] in [us-central1-a]

Do you want to continue (Y/n)? Y

09 The command output should return the URL of the deleted VM instance: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

10 Repeat steps no. 1 – 9 for each non-compliant VM instance that you want to relaunch, available in the selected project.

11 Repeat steps no. 1 – 10 for each GCP project deployed in your Google Cloud account.

References

Publication date May 3, 2024

Related ComputeEngine rules