GCP VPC Network subnets have Private Google access for IPv6 disabled
Description
Enabling Private Google Access for IPv6 can help improve the security of your Google Cloud Platform (GCP) resources by allowing them to access Google APIs and services over IPv6 networks, rather than over the public internet. This can help reduce the risk of your traffic being intercepted or tampered with, as it is routed through Google's private network.
Additionally, Private Google Access can help improve the performance and reliability of your GCP resources by reducing network latency and eliminating the need to route traffic through third-party networks.
Code Example
go
resource "google_compute_subnetwork" "pass_bidi" {
name = "log-test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
stack_type = "IPV4_IPV6"
ipv6_access_type = "EXTERNAL"
region = "us-central1"
network = google_compute_network.custom-test.id
# purpose="INTERNAL_HTTPS_LOAD_BALANCER" if set ignored
# log_config {
# metadata="EXCLUDE_ALL_METADATA"
# }
private_ip_google_access = true
+ private_ipv6_google_access = "ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE"
}Remediation
Terraform
The inspected key is `private_ipv6_google_access``, and the acceptable values for this policy to pass are:
- ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE
- ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0934 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GCP_76 |