Google CloudOverview
Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).
Limiting network access to your database will limit potential attacks.
Rationale
Setting databases access only to private will reduce attack surface.
Impact
If you set a database IP to private, only a host from the same network will have the ability to connect your database.
Configuring an existing Cloud SQL instance to use private IP causes the instance to restart.
Remediation guidance
From Google Cloud Console
- Go to the
Cloud SQL Instancespage in the Google Cloud Console by visiting https://console.cloud.google.com/sql/instances - Open the
Overviewpage of an instance by clicking the instance name - Select
Connectionsfrom the SQL navigation menu and navigate toNETWORKING - Check the
Private IPcheckbox. A drop-down list shows the available networks in your project - Select the VPC network you want to use:
If you see
Private service connection required:- Click
Set up connection. - In the
Allocate an IP rangesection, choose one of the following options: - Select one or more existing IP ranges or create a new one from the dropdown. The dropdown includes previously allocated ranges, if there are any, or you can select
Allocate a new IP rangeand enter a new range and name. - Use an automatically allocated IP range in your network. Note: You can specify an address range only for a primary instance, not for a read replica or clone.
- Click
Continue. - Click
Create connection. - Verify that you see the Private service connection for network VPC_NETWORK_NAME has been successfully created status.
- Click
- [Optional step for Private Services Access - review reference links to VPC documents for additional detail] If you want to allow other Google Cloud services such as BigQuery to access data in Cloud SQL and make queries against this data over a private IP connection, then select the Private path for Google Cloud services check box.
- Click
SAVE
Using Google Cloud CLI
- List Cloud SQL Instances:
gcloud sql instances list --format="json" | jq '.[] | .connectionName,.ipAddresses'
Note the project name of the instance you want to set to a private IP, this will be
Example public instance output:
"my-project-123456:us-central1:my-instance"
[
{
"ipAddress": "0.0.0.0",
"type": "PRIMARY"
},
{
"ipAddress": "0.0.0.0",
"type": "OUTGOING"
}
- Run the following command to list the available VPCs:
gcloud compute networks list --format="json" | jq '.[].name'
Note the name of the VPC to use for the instance private IP, this will be
- Run the following to set instance to a private IP
gcloud beta sql instances patch <instanceID> \ --project=<projectID> \ --network=projects/<projectID>/global/networks/ \ --no-assign-ip
Default Value
By default, a public IP is assigned.
References
- https://cloud.google.com/sql/docs/postgres/configure-private-ip
- https://cloud.google.com/vpc/docs/configure-private-services-access#procedure
- https://cloud.google.com/vpc/docs/configure-private-services-access#creating-connection
Multiple Remediation Paths
Google Cloud
SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.
gcloud org-policies set-policy policy.yaml
ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.
PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.
References for Service-Wide Patterns
- GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
- GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Google Cloud: apply organization policy constraints at org/folder scope.
gcloud org-policies set-policy policy.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}
