An inbound firewall rule allows traffic from /0.
Network security rules should not use very broad subnets.
Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.
Impact
The port is exposed for ingress from the internet
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Set a more restrictive cidr range
1
2
3
4
5
6
|
resource "google_compute_firewall" "good_example" {
source_ranges = ["1.2.3.4/32"]
allow {
protocol = "icmp"
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
|
resource "google_compute_firewall" "allow-vms-to-some-machine" {
name = "allow-vms-to-some-machine"
network = local.network
priority = 1300
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["8081"]
}
source_tags = ["vms"]
target_tags = ["some-machine"]
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
resource "google_compute_firewall" "test" {
name = "gmp-validating-webhook-fw"
network = google_compute_network.my_vpc_name.self_link
allow {
protocol = "tcp"
ports = ["8443"]
}
target_tags = [ "k8s-node-pool" ]
source_ranges = [google_container_cluster.my_cluster_name.private_cluster_config[0].master_ipv4_cidr_block]
}
|
Links