More Info:

Ensure that only trusted IPv4 addresses can be configured as VPN peer IPs within your Google Cloud organization. Each trusted IP address must be defined explicitly in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

CBP

Remediation

Using Console

To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using the GCP console, follow these steps:

  1. Open the GCP console and navigate to the VPC network that contains the VPN gateway that needs to be remediated.

  2. Click on the VPN gateway that needs to be remediated.

  3. In the VPN gateway details page, click on the “Edit” button at the top of the page.

  4. In the “Edit VPN gateway” page, scroll down to the “Peer IP addresses” section.

  5. In the “Peer IP addresses” section, click on the “Add IP range” button.

  6. In the “Add IP range” dialog box, enter the IP address range of the VPN peer that needs to be allowed access to the VPN gateway.

  7. Click on the “Save” button to save the changes.

  8. Repeat steps 5-7 for each VPN peer that needs to be allowed access to the VPN gateway.

  9. Once all the necessary VPN peers have been added to the “Peer IP addresses” section, click on the “Save” button at the bottom of the page to save the changes to the VPN gateway.

By following these steps, you will remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using the GCP console.

Using CLI

To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using GCP CLI, you can follow the below steps:

Step 1: Open the Cloud Shell in GCP Console.

Step 2: Run the following command to list all the VPN tunnels in your project:

gcloud compute vpn-tunnels list

Step 3: Identify the VPN tunnel that needs to be remediated and note down its name.

Step 4: Run the following command to update the VPN tunnel configuration to restrict the peer IP addresses:

gcloud compute vpn-tunnels update [VPN_TUNNEL_NAME] --peer-authorized-networks=[CIDR_RANGE]

Replace [VPN_TUNNEL_NAME] with the name of the VPN tunnel identified in step 3 and [CIDR_RANGE] with the CIDR range of the peer IP addresses that should be allowed to connect to the VPN tunnel.

For example, if the VPN tunnel name is “my-vpn-tunnel” and the allowed CIDR range is “10.0.0.0/24”, the command will be:

gcloud compute vpn-tunnels update my-vpn-tunnel --peer-authorized-networks=10.0.0.0/24

Step 5: Verify the configuration by running the following command:

gcloud compute vpn-tunnels describe [VPN_TUNNEL_NAME]

This will display the details of the VPN tunnel, including the updated peer-authorized-networks configuration.

By following these steps, you can remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using GCP CLI.

Using Python

To remediate the “Restrict VPN Peer IPs” misconfiguration in GCP using Python, you can follow these steps:

  1. First, you need to identify the VPN gateway that has the misconfiguration. You can use the GCP Python SDK to list all the VPN gateways in your project and identify the one that has unrestricted VPN peer IPs.
from google.cloud import compute_v1

compute_client = compute_v1.ComputeClient()

# List all VPN gateways in the project
vpn_gateways = compute_client.vpn_gateways().list(project='your-project-id').execute()

# Identify the VPN gateway that has unrestricted VPN peer IPs
for vpn_gateway in vpn_gateways['items']:
    if vpn_gateway.get('vpnInterfaces'):
        for vpn_interface in vpn_gateway['vpnInterfaces']:
            if not vpn_interface.get('ipRange', {}).get('value'):
                print(f"VPN gateway {vpn_gateway['name']} has unrestricted VPN peer IPs.")
  1. Once you have identified the VPN gateway, you need to update its configuration to restrict the VPN peer IPs. You can use the same GCP Python SDK to update the VPN gateway configuration.
from google.cloud import compute_v1

compute_client = compute_v1.ComputeClient()

# Identify the VPN gateway that has unrestricted VPN peer IPs
vpn_gateway_name = 'your-vpn-gateway-name'
vpn_gateway = compute_client.vpn_gateways().get(project='your-project-id', region='your-region', vpnGateway=vpn_gateway_name).execute()

# Restrict VPN peer IPs to a specific range
new_vpn_interface = {
    'ipRange': {
        'value': '10.0.0.0/24'
    }
}
vpn_gateway['vpnInterfaces'][0] = new_vpn_interface

# Update the VPN gateway configuration
operation = compute_client.vpn_gateways().update(project='your-project-id', region='your-region', vpnGateway=vpn_gateway_name, body=vpn_gateway).execute()
  1. Finally, you should verify that the VPN gateway configuration has been updated successfully. You can use the same GCP Python SDK to retrieve the VPN gateway configuration and check that the VPN peer IPs are now restricted.
from google.cloud import compute_v1

compute_client = compute_v1.ComputeClient()

# Retrieve the VPN gateway configuration
vpn_gateway_name = 'your-vpn-gateway-name'
vpn_gateway = compute_client.vpn_gateways().get(project='your-project-id', region='your-region', vpnGateway=vpn_gateway_name).execute()

# Check that the VPN peer IPs are now restricted
if vpn_gateway.get('vpnInterfaces'):
    for vpn_interface in vpn_gateway['vpnInterfaces']:
        if vpn_interface.get('ipRange', {}).get('value'):
            print(f"VPN gateway {vpn_gateway['name']} has restricted VPN peer IPs to {vpn_interface['ipRange']['value']}.")