Dual-homed Compute instances should be checked Affecting Compute Engine service in Google


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Network / Network

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00719
  • credit Snyk Research Team

Description

Dual-homed Compute instances can introduce security risks by allowing unauthorized access and potential data exfiltration. It is important to regularly check for and address any instances that have multiple network interfaces connected to different networks. This helps ensure proper network segmentation and reduces the risk of unauthorized access or data leakage.

How to fix?

Do not create a Compute instance with multiple network interface blocks.

Example Configuration

resource "google_compute_instance" "allowed1" {
  name         = "allowed1"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-11"
    }
  }

  network_interface {
    network    = google_compute_network.network-1.name
    subnetwork = google_compute_subnetwork.subnet-1.name
  }
}

resource "google_compute_network" "network-1" {
  name = "network-1"
}

resource "google_compute_subnetwork" "subnet-1" {
  name          = "subnet-1"
  network       = google_compute_network.network-1.id
  ip_cidr_range = "10.0.1.0/24"
}