services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.


Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.


Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.


  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​using-​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​protocol-​forwarding
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​service-​directory/​docs/​configuring-​netlb-​in-​sd
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​vpc/​docs/​private-​service-​connect
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog