Dual-homed Compute instances should be checked Affecting Compute Engine service in Google
Severity Framework
Snyk CCSS
Rule category
Network / Network
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00719
- credit Snyk Research Team
Description
Dual-homed Compute instances can introduce security risks by allowing unauthorized access and potential data exfiltration. It is important to regularly check for and address any instances that have multiple network interfaces connected to different networks. This helps ensure proper network segmentation and reduces the risk of unauthorized access or data leakage.
How to fix?
Do not create a Compute instance with multiple network interface blocks.
Example Configuration
resource "google_compute_instance" "allowed1" {
name = "allowed1"
machine_type = "e2-medium"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = google_compute_network.network-1.name
subnetwork = google_compute_subnetwork.subnet-1.name
}
}
resource "google_compute_network" "network-1" {
name = "network-1"
}
resource "google_compute_subnetwork" "subnet-1" {
name = "subnet-1"
network = google_compute_network.network-1.id
ip_cidr_range = "10.0.1.0/24"
}