Ensure compute instances do not have public IPs

Error: Compute instances have public IPs

Bridgecrew Policy ID: BC_GCP_PUBLIC_2
Checkov Check ID: CKV_GCP_40
Severity: MEDIUM

Compute instances have public IPs


To reduce your attack surface Compute instances should not have public IP addresses. To minimize the instance's exposure to the internet configure instances behind load balancers.

We recommend you ensure compute instances are not configured to have external IP addresses.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. For the Instance detail page, click the instance name.
  4. Click Edit.
  5. For each Network interface, ensure that External IP is set to None.
  6. Click Done, then click Save.

CLI Command

  1. Describe the instance properties:
    gcloud compute instances describe INSTANCE_NAME --zone=ZONE
  2. Identify the access config name that contains the external IP address. This access
    config appears in the following format:
- accessConfigs:
- kind: compute#accessConfig
 name: External NAT
  1. To delete the access config, use the following command:
gcloud compute instances delete-access-config INSTANCE_NAME 
--access-config-name "ACCESS_CONFIG_NAME"



In the above example the ACCESS_CONFIG_NAME is External NAT.

The name of your access config may be different.

Fix - Buildtime


  • Resource: google_compute_instance
  • Field: access_config
resource "google_compute_instance" "example" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
-  access_config {