SQL database instances should not have public IPs

Description

SQL database instances with public IP addresses are directly accessible by hosts on the Internet. To minimize its attack surface, a database server should be configured with private IP addresses. Private addresses provide better security because of intermediary firewall or NAT devices.

Remediation Steps

Google Cloud Console

  • Navigate to Cloud SQL instances.

  • Click on the Cloud SQL database instance name to go to the Overview page.

  • Click Connections in the left navigation pane.

  • Scroll down to the Networking section.

  • Uncheck the Public IP checkbox.

  • Click Save.

gcloud CLI

  • Disable a public IP for each Cloud SQL database instance:

    • gcloud sql instances patch INSTANCE_NAME --no-assign-ip