Profile Applicability:

  • Level 2

Description:

Cloud SQL database instances should use private IPs instead of public IPs to enhance network security and reduce the attack surface.

Rationale:

Assigning private IPs to Cloud SQL database instances improves security by limiting exposure to the public internet. It also reduces latency and simplifies compliance with security policies. Public IPs increase the attack surface and should be avoided wherever possible.

Impact:

Removing public IP addresses may disrupt applications that rely on public IPs for database connectivity. Ensure all applications are reconfigured to use private IPs before making this change.

Default Value:

By default, Cloud SQL instances are assigned public IP addresses.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

               

  1. Confirm that each database instance has a private IP and does not have a public IP configured.

       

Using Google Cloud CLI:

List all Cloud SQL instances:

gcloud sql instances list

For each instance of type CLOUD_SQL_INSTANCE with backendType: SECOND_GEN (excluding replicas of type READ_REPLICA_INSTANCE):

gcloud sql instances describe <INSTANCE_NAME>

  1. Ensure the ipAddresses section shows an address of type PRIVATE and no address of type PRIMARY (indicating public IP).

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to the Cloud SQL Instances page.

                         

  1. Click the instance name to open its details page.

           

  1. Go to the Connections tab.

                     

  1. Uncheck the Public IP checkbox.

           

  1. Click Save to apply the changes.

             

Using Google Cloud CLI:

Remove the public IP from each instance and assign a private IP:

gcloud sql instances patch <INSTANCE_NAME> --network=<VPC_NETWORK_NAME> --no-assign-ip

Verify the changes:

gcloud sql instances describe <INSTANCE_NAME>

Prevention:

To prevent new Cloud SQL instances from being configured with public IPs, enable the Restrict Public IP Access on Cloud SQL Instances organization policy:
Restrict Public IP Access Policy.

Backout Plan:

Step 1: Revert Configuration

If removing public IP access causes service disruption, re-enable it using:

gcloud sql instances patch <INSTANCE_NAME> --assign-ip

Alternatively, use Cloud SQL Console to re-enable public IP access.

Step 2: Notify Stakeholders

  • If rollback is required, inform developers and database administrators about temporary access adjustments.

Step 3: Restore from Backup (If Necessary)

  • If access configuration issues persist, restore the SQL instance from a previously taken snapshot or backup.

Step 4: Validate Rollback Success

  • Run the audit steps again to confirm that public IP access has been restored.

  • Ensure that applications function normally with the restored public IP.

References:

  1. Configuring Private IP for Cloud SQL

  2. Using Private IP for Cloud SQ

  3. Restrict Public IP Access Policy

Additional Information:

  • Replicas automatically inherit the private IP status from their primary instance. Private IPs cannot be directly configured on replicas.

  • Public IP addresses cannot be assigned to first-generation Cloud SQL instances.

CIS Controls

Control

Description

IG 1

IG 2

IG 3

3.3 Configure Data Access Control Lists

Apply data access controls, restricting connections to only authorized users or networks.

14.6 Protect Information Through Access Control Lists

Use access control lists to ensure only authorized users have access based on their responsibilities.