Ensure Compute instances do not have public IP addresses

From Google Cloud Console

1. Go to the VM instances page by visiting: https://console.cloud.google.com/compute/instances
2. Click on each VM instance name to go to its details page
3. Click STOP and then click EDIT
4. For each Network interface, ensure that External IP is set to None.
5. Click Save and then click START

Using Google Cloud CLI

1. Describe the instance properties:

gcloud compute instances describe <instanceName> --zone=<zone>

1. Identify the access config name that contains the external IP address. This access config appears in the following format:

networkInterfaces:
- accessConfigs:
- kind: compute#accessConfig
 name: External NAT
 natIP: 130.211.181.55
 type: ONE_TO_ONE_NAT

1. Delete the access config.

gcloud compute instances delete-access-config <instanceName> --zone=<zone> --access-config-name <accessConfigName>

In the above example, the accessConfigName is External NAT. The name of your access config might be different.

Prevention

You can configure the Define allowed external IPs for VM instances Organization Policy to prevent VMs from being configured with public IP addresses. Learn more at: https://console.cloud.google.com/orgpolicies/compute-vmExternalIpAccess

Default Value

By default, Compute instances have a public IP address.

References

1. https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses
2. https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances
3. https://cloud.google.com/compute/docs/instances/connecting-to-instance
4. https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip
5. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

Additional information

You can connect to Linux VMs that do not have public IP addresses by using IdentityAware Proxy for TCP forwarding. Learn more at https://cloud.google.com/compute/docs/instances/connectingadvanced#sshbetweeninstances. For Windows VMs, see https://cloud.google.com/compute/docs/instances/connectingto-instance.

Multiple Remediation Paths

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.