Define Allowed External IPs for VM Instances
More Info:
Ensure that “Define Allowed External IPs for VM Instances” constraint policy is enforced at the GCP organization level in order to enable you to define the set of virtual machine (VM) instances that are allowed to use external IP addresses. This constraint helps you to minimize your instance’s exposure to the Internet.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
“Allowed External IPs for VM Instances” is a firewall rule in GCP that allows traffic from specific external IP addresses to reach the VM instances. This misconfiguration can be a security risk as it may allow unauthorized access to the VM instances.To remediate this misconfiguration in GCP using the GCP console, follow these steps:
- Go to the GCP console and select the project containing the affected VM instances.
- In the navigation menu, click on “VPC Network” and then click on “Firewall rules”.
- Find the firewall rule that allows external IPs and click on it to edit it.
- In the “Source IP ranges” field, remove the specific IP addresses that are not authorized to access the VM instances.
- If necessary, add a new firewall rule to restrict access to the VM instances to specific IP addresses or IP ranges that are authorized to access them.
- Click on “Save” to apply the changes.
- Verify that the firewall rule has been updated by checking the “Firewall rules” page in the GCP console.
Using CLI
Using CLI
The “Allowed External IPs for VM Instances” misconfiguration in GCP means that the firewall rules for the virtual machine instances allow traffic from external IP addresses that are not authorized. To remediate this, you can follow these steps using the GCP CLI:Replace
- Open the Cloud Shell in the GCP Console.
- Run the following command to list the firewall rules for the project:
- Identify the firewall rule that needs to be updated to restrict the allowed external IPs.
- Run the following command to update the firewall rule:
[FIREWALL_RULE_NAME] with the name of the firewall rule that needs to be updated, and [AUTHORIZED_IP_RANGES] with the comma-separated list of authorized IP ranges.For example, if the firewall rule name is allow-http and the authorized IP ranges are 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16, the command would be:- Verify that the firewall rule was updated by running the
gcloud compute firewall-rules listcommand again and checking thesourceRangesfield for the updated rule.
Using Python
Using Python
The “Allowed External IPs” configuration in GCP allows network traffic only from specific external IP addresses. To remediate this misconfiguration, you can follow these steps using Python:where This will update the instance with the new list of allowed external IPs. Note that this assumes that the instance has only one network interface and one access config. If there are multiple network interfaces or access configs, you will need to modify the code accordingly.
- Import the necessary libraries:
- Set up the credentials:
- Set up the client:
- Define the project ID and zone where the instance is located:
- Define the instance name:
- Get the instance:
- Define the new list of allowed external IPs:
x.x.x.x and y.y.y.y are the IP addresses that you want to allow.- Update the instance with the new list of allowed external IPs: