Skip to main content

lacework-global-819

6.2.9 Set Instance IP assignment to private (Automated)

Description

Best practices recommend configuring Second Generation Sql instance to use private IPs instead of public IPs.

Remediation

From Google Cloud Console:

  1. Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances.
  2. Click the instance name to open its Instance details page.
  3. Select Connections from the SQL navigation menu.
  4. Click Networking tab.
  5. Deselect the Public IP checkbox.
  6. Click Save to update the instance.

From Command Line:

  1. For every instance remove its public IP and assign a private IP instead:
gcloud sql instances patch <instance_id> --project=<project_id> --network=projects/<project_id>/global/networks/<vpc_network_name> --no-assign-ip
  1. Confirm the changes using the following command:
gcloud sql instances list --format="json" | jq '.[] | .connectionName,.ipAddresses'
info

<project_id> is the project name of the instance you want to set to a private IP. <instance_id> Is the instance name of the instance you want to set to a private IP.

Prevention:

To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.

References

https://cloud.google.com/sql/docs/postgres/configure-private-ip
https://cloud.google.com/vpc/docs/configure-private-services-access#procedure
https://cloud.google.com/vpc/docs/configure-private-services-access#creating-connection

Last updated on