Compute instances ‘IP forwarding’ should not be enabled


By default, a Compute Engine instance cannot forward a packet originated by another instance (“IP forwarding”). If this is enabled, Google Cloud no longer enforces packet source and destination checking, which can result in data loss or unintended information disclosure.

Remediation Steps

IP Forwarding configuration can only be set when Compute Engine instances are created. Therefore, remediation requires deleting an existing instance and creating a new one.

Google Cloud Console

  • Navigate to VM instances.

  • Check the Compute Engine instance you want to delete, and select Delete.

  • To create a new instance, click CREATE INSTANCE.

  • Ensure that the new instance does not enable IP Forwarding; this is the default configuration.

gcloud CLI

  • Delete the Compute Engine instance with IP Forwarding enabled:

    • gcloud compute instances delete INSTANCE_NAME

  • Create a new Compute Engine instance (IP Forwarding is disabled by default):

    • gcloud compute instances create