VPC Firewall Open Ingress

Description

VPC firewall rules allowing 0.0.0.0/0 (or broad ranges) to sensitive ports (SSH/RDP/DB/ICMP) expose workloads to the internet, increasing exploit and brute‑force risk. Misuse of target tags/service accounts, duplicate/overlapping rules, and permissive egress rules further widen exposure.

Examples

List Wide-Open Rules

gcloud compute firewall-rules list --filter='sourceRanges=(0.0.0.0/0) AND direction=INGRESS' --format='table(name,network,allowed,sourceRanges)'
gcloud compute firewall-rules list --filter='direction=EGRESS AND destinationRanges=(0.0.0.0/0)' --format='table(name,network,denied,allowed,destinationRanges)'
gcloud compute firewall-rules describe <rule>

Remediation

Restrict to known IPs or use Private Service Connect/VPN/IAP; terminate externally behind HTTPS Load Balancer + Cloud Armor.
Apply hierarchical firewall policies at org/folder; periodically audit rules and remove unused tags.
Enforce via organization policy (constraints/compute.restrict*); build CI checks to block wide‑open rules.

Haxoris Wiki

VPC Firewall Open Ingress

Description

Examples

List Wide-Open Rules

Remediation