Possible exposable asset type on Google Cloud

cn flag

One of the ways to secure a cloud environment is to monitor all of the assets that we have. Recently, I made a script to get information regarding those assets by using GCP API, but I need to do it one by one, for each asset by using the describe command to determine if it is public or not.

Do you know which asset type on Google Cloud that can be publicly accessible? I found some but I want to make sure that I cover every asset type that can be public.

Here is what I found:

  1. Bucket
  2. Instance
  3. Firewall
  4. Forwarding Rule
  5. Backend Service
  6. Cluster
  7. Storage

Is there anything else that I missed? or is there a way to get all information regarding public asset on GCP?

Wojtek_B avatar
jp flag
Please clarify what's your criteria for clasiffying a resource as public, what's the `gcloud` command you use to deternine that ? What's your goal here ?
Insight Habor avatar
cn flag
hello there, for example in Forwarding Rules i use `gcloud compute forwarding-rules describe NAME --format=json` from [link]( and it will show a json file with keys and values. This is the keys and values [link]( One of the key is `loadBalancingScheme` which value can be `EXTERNAL` or `INTERNAL`. If it is `EXTERNAL` it is possibly exposable to internet with external IP Address
jp flag

I believe you may be confusing few things so let me explain what's what.

There's no such distinctiomn in GCP services as Public (or external) and internal.

Some of the - like Load Balancers are designed to work both ways - depending on what you need. Sometime you want to distribute big amounts of traffic between you VM's (or other backend services) and sometimes between your VM's in you project or just a single VPC network.

Buckets store data - by default they are visible only to people that have permisions to read their contents. To make them available from Internet you have to explicitly make that choice and assign specific permissions (hardly something that can be done accidentally).

VM instances by default get Public IP (however it's NAT'ed). You can choose to get only internal IP - this way they are only visible to other VM's in the same VPC network.

Forwarding rules and backend services are a part of Load Balancers which I explained earlier.

Cluster is a group of VM's working together to achieve better scalability for your services. By default single VM's in the GKE cluster get external IP and can be accessed from the Internet but you can choose for them to only have internal IP's. In this case you can really get Private or Public cluster.

Storage - there are several options here - buckets are just one of them. Most widely used are disks used to run and store data in your VM's. They however are designed to be available to VM's inside GCP.

There are many other GCP services - have a look at linked documentaiton to understand the basics.

Insight Habor avatar
cn flag
hello thank you for the answer good Sir, is there any other possible type that can be public / have external IP other than you said? thank you very much for the answer. I cant click on the `GCP services` link that you provided
Wojtek_B avatar
jp flag
Additionally you can access CloudSQL instances, App engine apps, cloud run apps etc. If you're using [Cloud VPN]( to connect your on-premise network with the one in GCP you're also exposing this service to the Internet.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.