Skip to content

no-public-egress

Default Severity: critical

Explanation

Network security rules should not use very broad subnets.

Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet.

Possible Impact

The port is exposed for egress to the internet

Suggested Resolution

Set a more restrictive cidr range

Insecure Example

The following example will fail the google-compute-no-public-egress check.

resource "google_compute_firewall" "bad_example" {
  direction = "EGRESS"
  allow {
    protocol = "icmp"
  }
  destination_ranges = ["0.0.0.0/0"]
}

Secure Example

The following example will pass the google-compute-no-public-egress check.

 resource "google_compute_firewall" "good_example" {
  direction = "EGRESS"
  allow {
    protocol = "icmp"
  }
  destination_ranges = ["1.2.3.4/32"]
}