lacework-global-819
Set Instance IP assignment to private (Automated)
Description
Best practices recommend configuring Second Generation Sql instance to use private IPs instead of public IPs.
Remediation
From Google Cloud Console:
- Go to the Cloud SQL Instances page in the Google Cloud Console: https://console.cloud.google.com/sql/instances.
- Click the instance name to open its Instance details page.
- Select Connections from the SQL navigation menu.
- Click Networking tab.
- Deselect the Public IP checkbox.
- Click Save to update the instance.
From Command Line:
- For every instance remove its public IP and assign a private IP instead:
gcloud sql instances patch <instance_id> --project=<project_id> --network=projects/<project_id>/global/networks/<vpc_network_name> --no-assign-ip
- Confirm the changes using the following command:
gcloud sql instances list --format="json" | jq '.[] | .connectionName,.ipAddresses'
<project_id> is the project name of the instance you want to set to a private IP. <instance_id> Is the instance name of the instance you want to set to a private IP.
Prevention:
To prevent new SQL instances from getting configured with public IP addresses, set up a Restrict Public IP access on Cloud SQL instances Organization policy at: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp.
References
https://cloud.google.com/sql/docs/postgres/configure-private-ip
https://cloud.google.com/vpc/docs/configure-private-services-access#procedure
https://cloud.google.com/vpc/docs/configure-private-services-access#creating-connection