services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.


Can not be used to change targets. Can be used to escalate access when the rule already directs traffic to a target system and the attacker has access to a particular source endpoint.


Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.


  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​using-​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​protocol-​forwarding
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​service-​directory/​docs/​configuring-​netlb-​in-​sd
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​vpc/​docs/​private-​service-​connect
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog