gcp-gce-ip-fwd-on

Ensure that IP forwarding is not enabled on Instances

By default Compute Engine will not forward an IP packet unless the source IP matches the address of the instance. It will also forbid to deliver packets with a destination other than the IP of the receiving instance. This default source / destination IP validation should only be disabled (using can_ip_forward = true) if and only if you are deploying some dedicated networking piece of software which needs to modify the IP traffic flow directly.

Examples

Insecure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  can_ip_forward = true
}

Secure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  can_ip_forward = false # Defaults to false, so could also simply be omitted
}

More information

• GCP Docs
• Terraform Docs