Google Cloud SQL
      Back to home
      1. Knowledge Base
      2. GCP Knowledge Base
      3. Google Cloud SQL

      Public IP is attached to SQL instances

      Ensure that SQL instances are not using public IPs.

      Risk Level: High

      Description

      This plugin ensures that SQL instances use private IP addresses rather than public ones. Instead of having your Cloud SQL instances accessible to everyone on the internet, you may use private IPs to keep them private within a Virtual Private Cloud (VPC) network. When connecting from a client on a resource with access to a VPC, it's best to configure your instance with a private IP. 

      About the Service

      Google Cloud SQL:

      Google Cloud SQL is a relational database for MySQL, PostgreSQL, and SQL Server that is fully managed. It automates database provisioning, storage capacity management, replication, and backups while lowering maintenance costs. It can be set up easily using the built-in migration tools and lets you scale your instances effortlessly. To know more about Cloud SQL, read here

      Impact

      Using a public IP address makes your SQL instances accessible to the general public over the internet. It can connect to Google's network from both within and outside the company's network. It is advised that you utilize a private IP instead of a public IP to keep your SQL instances secure and reduce the number of threats.

      Steps to Reproduce

      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Select the ID of the SQL instance you want to investigate from the list of instances available and click on the Connections tab to check the configuration settings of the selected instance.
      5. On the Connections page, under the Networking tab, check the Instance IP assignment. If Public IP is checked, the selected instance is connected through a public IP.
      6. Repeat steps 4 and 5 for all the SQL instances you want to investigate in the selected project.
      7. If you have multiple projects, repeat steps 2 to 6 for each project in your GCP Console. 

      Steps for Remediation

      Determine whether or not you truly require using a public IP. If not, make the necessary changes using the steps below.


      Using GCP Console-

      1. Log In to your GCP Console.
      2. From the top navigation bar, select the GCP project you want to investigate.
      3. From the navigation panel on the left side of the console, go to SQL. You can use this link here to navigate directly if you’re already logged in.
      4. Select the ID of the SQL instance you want to reconfigure in the list of instances available. (In case you aren’t sure which SQL instance needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
      5. Click on Connections to go to the NETWORKING tab.
      6. Under the Instance IP assignment section, select the Private IP option and select your desired network for the same.
      7. Uncheck the Public IP checkbox and press SAVE to save the new changes.

      8. Repeat steps 4 to 7 for all the SQL instances you want to reconfigure in the selected project.
      9. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.