Cyscale
Back to controls

Ensure Cloud SQL database instances do not have public IPs

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

It is recommended to configure Second Generation Sql instance to use private IPs instead of public IPs.

Rationale

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

Impact

Removing the public IP address on SQL instances may break some applications that relied on it for database connectivity.

Remediation guidance

Google Cloud Remediation

Service-wide fix (recommended): require private IP for Cloud SQL and enforce constraints/sql.restrictPublicIp at the project, folder, or organization level.

Google Cloud console

  1. Open Cloud SQL Instances.
  2. Select the instance.
  3. Go to Connections -> Networking.
  4. Disable Public IP.
  5. If the instance does not yet have private connectivity, configure Private IP first by selecting the target VPC network.
  6. Save the change and validate application connectivity.

Google Cloud CLI

Move the instance to private connectivity and remove the public IP:

gcloud sql instances patch <instance-name>   --network=projects/<host-project-id>/global/networks/<vpc-network-name>   --no-assign-ip

Validate the IP configuration:

gcloud sql instances describe <instance-name>

Prevention

Enforce the predefined organization policy that restricts public IP on Cloud SQL:

name: organizations/<org-id>/policies/sql.restrictPublicIp
spec:
  rules:
  - enforce: true

gcloud org-policies set-policy policy.yaml

Operational notes

  • Private IP requires Private Service Access to be set up between your VPC and Google-managed services before the instance can use private connectivity.
  • The sql.restrictPublicIp organization policy is not retroactive. Existing instances with public IP keep working until you remediate them.
  • The current query identifies second-generation instances with a primary public IP. Replicas follow the networking model of the primary, so fix the primary design first.

References

  • https://cloud.google.com/sql/docs/mysql/configure-private-ip
  • https://cloud.google.com/sql/docs/mysql/private-ip
  • https://cloud.google.com/sql/docs/sqlserver/org-policy/org-policy
  • https://docs.cloud.google.com/sql/docs/sqlserver/org-policy/configure-org-policy

Query logic

These are the stored checks tied to this control.

Cloud SQL database instances do not have public IPs

Connectors

Google Cloud

Covered asset types

CloudSQLInstance

Expected check: eq []

{cloudSqlInstances(where:{instanceType:"CLOUD_SQL_INSTANCE",backendType:"SECOND_GEN",ipAddresses_SOME:{type:"PRIMARY"}}){...AssetFragment}}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon