no-public-egress
Default Severity: critical
Explanation
Network security rules should not use very broad subnets.
Where possible, segments should be broken into smaller subnets and avoid using the /0
subnet.
Possible Impact
The port is exposed for egress to the internet
Suggested Resolution
Set a more restrictive cidr range
Insecure Example
The following example will fail the google-compute-no-public-egress check.
resource "google_compute_firewall" "bad_example" {
direction = "EGRESS"
allow {
protocol = "icmp"
}
destination_ranges = ["0.0.0.0/0"]
}
Secure Example
The following example will pass the google-compute-no-public-egress check.
resource "google_compute_firewall" "good_example" {
direction = "EGRESS"
allow {
protocol = "icmp"
}
destination_ranges = ["1.2.3.4/32"]
}