SQL database instances should only use private IP addresses
Description:
Datadog recommends configuring the second generation SQL instance to use private IPs instead of
public IPs.
Rationale:
To lower the organization’s attack surface, ensure your Cloud SQL databases does not have public IPs.
Private IPs provide improved network security and lower latency for your application.
Impact:
Removing the public IP address on SQL instances may break applications that relied
on it for database connectivity.
From the console
- Go to the Cloud SQL Instances page in the Google Cloud Console:
https://console.cloud.google.com/sql/instances
- Click the instance name to open its Instance details page.
- Select the
Connections
tab. - Deselect the
Public IP
checkbox. - Click
Save
to update the instance.
From the command line
For every instance, remove the public IP and assign a private IP instead:
gcloud sql instances patch <INSTANCE_NAME> --network=<VPC_NETWORK_NAME> --no-assign-ip
Confirm the changes using the following command:
gcloud sql instances describe <INSTANCE_NAME>
Prevention:
To prevent new SQL instances from getting configured with public IP addresses, set up a
Restrict Public IP access on Cloud SQL instances
Organization policy at:
https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp
Default value:
By default, Cloud Sql instances have a public IP.
References:
- https://cloud.google.com/sql/docs/mysql/configure-private-ip
- https://cloud.google.com/sql/docs/mysql/private-ip
- https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp
Replicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.