HIGH
Source
Trivy
ID
AVD-GCP-0043

Instances should not have IP forwarding enabled

Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance.

Impact

Instance can send/receive packets without the explicit instance address

Follow the appropriate remediation steps below to resolve the issue.

Disable IP forwarding

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
 resource "google_compute_instance" "good_example" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"
 
   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }
 
   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }
   
   can_ip_forward = false
 }