Restrict VPN Peer IPs
More Info:
Ensure that only trusted IPv4 addresses can be configured as VPN peer IPs within your Google Cloud organization. Each trusted IP address must be defined explicitly in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using the GCP console, follow these steps:
- Open the GCP console and navigate to the VPC network that contains the VPN gateway that needs to be remediated.
- Click on the VPN gateway that needs to be remediated.
- In the VPN gateway details page, click on the “Edit” button at the top of the page.
- In the “Edit VPN gateway” page, scroll down to the “Peer IP addresses” section.
- In the “Peer IP addresses” section, click on the “Add IP range” button.
- In the “Add IP range” dialog box, enter the IP address range of the VPN peer that needs to be allowed access to the VPN gateway.
- Click on the “Save” button to save the changes.
- Repeat steps 5-7 for each VPN peer that needs to be allowed access to the VPN gateway.
- Once all the necessary VPN peers have been added to the “Peer IP addresses” section, click on the “Save” button at the bottom of the page to save the changes to the VPN gateway.
Using CLI
Using CLI
To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using GCP CLI, you can follow the below steps:Step 1: Open the Cloud Shell in GCP Console.Step 2: Run the following command to list all the VPN tunnels in your project:Step 3: Identify the VPN tunnel that needs to be remediated and note down its name.Step 4: Run the following command to update the VPN tunnel configuration to restrict the peer IP addresses:Replace [VPN_TUNNEL_NAME] with the name of the VPN tunnel identified in step 3 and [CIDR_RANGE] with the CIDR range of the peer IP addresses that should be allowed to connect to the VPN tunnel.For example, if the VPN tunnel name is “my-vpn-tunnel” and the allowed CIDR range is “10.0.0.0/24”, the command will be:Step 5: Verify the configuration by running the following command:This will display the details of the VPN tunnel, including the updated peer-authorized-networks configuration.By following these steps, you can remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using GCP CLI.
Using Python
Using Python
To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using Python, you can follow these steps:
- First, you need to identify the VPN gateway that has the misconfiguration. You can use the GCP Python SDK to list all the VPN gateways in your project and identify the one that has unrestricted VPN peer IPs.
- Once you have identified the VPN gateway, you need to update its configuration to restrict the VPN peer IPs. You can use the same GCP Python SDK to update the VPN gateway configuration.
- Finally, you should verify that the VPN gateway configuration has been updated successfully. You can use the same GCP Python SDK to retrieve the VPN gateway configuration and check that the VPN peer IPs are now restricted.