Google CloudOverview
Instance addresses can be public IP or private IP. Public IP means that the instance is accessible through the public internet. In contrast, instances using only private IP are not accessible through the public internet, but are accessible through a Virtual Private Cloud (VPC).
Limiting network access to your database will limit potential attacks.
Rationale
Setting databases access only to private will reduce attack surface.
Impact
If you set a database IP to private, only a host from the same network will have the ability to connect your database.
Configuring an existing Cloud SQL instance to use private IP causes the instance to restart.
Remediation guidance
From Google Cloud Console
- Open
Cloud SQL Instancesin Google Cloud Console. - Select the affected instance.
- Go to
Connections->Networking. - Enable
Private IP. - Select the target VPC network.
- If prompted, create or select the required Private Services Access connection and allocated range.
- Optional: enable
Private pathif approved Google-managed services such as BigQuery must reach the instance over private connectivity. - Save the change.
Using Google Cloud CLI
First confirm that Private Services Access is already configured for the VPC. Then patch the instance to use private IP and disable the public address:
gcloud sql instances patch <instance-id> --project=<project-id> --network=projects/<network-project-id>/global/networks/<vpc-network-name> --no-assign-ip --enable-google-private-path --enforce-new-sql-network-architecture
Validate the networking configuration:
gcloud sql instances describe <instance-id> --project=<project-id> --format='yaml(settings.ipConfiguration,sqlNetworkArchitecture)'
Better platform fix
For sensitive environments, standardize on private IP for Cloud SQL by default and treat public IP as an exception. Pair this with connector or proxy-based access patterns and organization policy guardrails where possible.
Operational notes
- Changing an existing instance to private IP causes a restart.
- Shared VPC environments require the correct host-project network reference and Service Networking permissions.
- If the instance still needs public connectivity for a transition period, remove it later in a planned second step instead of leaving it indefinitely.
References
- https://cloud.google.com/sql/docs/postgres/configure-private-ip
- https://docs.cloud.google.com/sdk/gcloud/reference/sql/instances/patch
- https://cloud.google.com/vpc/docs/configure-private-services-access
Service-wide remediation
Recommended when many resources are affected: move Cloud SQL onto a private-connectivity baseline instead of patching instances one by one.
Standardize private IP, Private Services Access, and approved client connectivity patterns in your landing-zone and database provisioning modules.
Operational rollout
- Verify network prerequisites and IP range capacity first.
- Migrate non-production instances before production.
- Re-scan after instance restarts complete and remove any leftover public-access exceptions.
Query logic
These are the stored checks tied to this control.
Ensure Instance IP assignment is set to private
Connectors
Covered asset types
Expected check: eq []
{
cloudSqlInstances(
where: {
cloudProvider: "gcp"
ipAddresses_SOME: { NOT: { type: "PRIVATE" } }
}
) {
...AssetFragment
}
}
