Ensure Cloud SQL database instances do not have public IPs

Error: Cloud SQL database instances have public IPs

Bridgecrew Policy ID: BC_GCP_SQL_11
Checkov Check ID: CKV_GCP_60
Severity: LOW

Cloud SQL database instances have public IPs

Description

To lower the organization's attack surface, Cloud SQL databases should not have public IPs. Private IPs provide improved network security and lower latency for your application.

We recommend you configure Second Generation SQL instances to use private IPs instead of public IPs.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud SQL Instances.
  3. Click the instance name to open its Instance details page.
  4. Select Connections.
  5. Clear the Public IP checkbox.
  6. To update the instance, click Save.

CLI Command

  1. For every instance remove its public IP and assign a private IP instead:
    gcloud beta sql instances patch INSTANCE_NAME --network=VPC_NETWOR_NAME --no- assign-ip
  2. Confirm the changes using the following command:
    gcloud sql instances describe INSTANCE_NAME

Fix - Buildtime

Terraform

  • Resource: google_sql_database_instance
  • Arguments:
    databaseversion = "SQLSERVER* "
    settings::ip_configuration: by default set to "true"
resource "google_sql_database_instance" "default" {
  name             = "master-instance"
  database_version = "SQLSERVER_2017_STANDARD"
  region           = "us-central1"
 
  settings {
+         ip_configuration{
+            ipv4_enabled    = "false"
          }
  }
}