--- title: Google Compute network using firewall rule that allows all ports description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Google Compute network using firewall rule that allows all ports --- # Google Compute network using firewall rule that allows all ports {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-gcp-google-compute-network-using-firewall-rule-allows-all-ports` **Provider:** GCP **Platform:** Ansible **Severity:** Medium **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed) ### Description{% #description %} Allowing ingress on all ports (0-65535) greatly increases attack surface by exposing every service port to network scanning and exploitation. This can lead to unauthorized access, lateral movement, and easier compromise of instances. This rule flags Ansible tasks using the `google.cloud.gcp_compute_firewall` or `gcp_compute_firewall` module where the rule is ingress and the `allowed` entry contains `ports: ["0-65535"]` for a firewall associated with a compute network referenced by a preceding `google.cloud.gcp_compute_network`/`gcp_compute_network` task. The `allowed.ports` property must not include `"0-65535"`. Instead, specify explicit ports or narrow ranges (for example `"80"`, `"443"`, or `"1024-2048"`) and restrict access with appropriate `sourceRanges` or other selectors. Secure example (allow only HTTP/HTTPS from a limited source range): ```yaml - name: Allow HTTP and HTTPS from internal range google.cloud.gcp_compute_firewall: name: allow-web network: "{{ my_network }}" direction: INGRESS allowed: - IPProtocol: tcp ports: ["80", "443"] sourceRanges: ["10.0.0.0/8"] ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: create a firewall google.cloud.gcp_compute_firewall: name: test_object allowed: - ip_protocol: tcp ports: - '22' target_tags: - test-ssh-server - staging-ssh-server source_tags: - test-ssh-clients project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present network: "{{ my_network }}" - name: create a network google.cloud.gcp_compute_network: name: test_object auto_create_subnetworks: 'true' project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present register: my_network ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: create a firewall2 google.cloud.gcp_compute_firewall: name: test_object allowed: - ip_protocol: tcp ports: - '0-65535' target_tags: - test-ssh-server - staging-ssh-server source_tags: - test-ssh-clients project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present network: "{{ my_network2 }}" - name: create a network2 google.cloud.gcp_compute_network: name: test_object auto_create_subnetworks: 'true' project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present register: my_network2 ```