Skip to content

Compute instances have public IPs

Description

To reduce your attack surface Compute instances should not have public IP addresses. To minimize the instance's exposure to the internet configure instances behind load balancers.

We recommend you ensure compute instances are not configured to have external IP addresses.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to VM instances.
  3. For the Instance detail page, click the instance name.
  4. Click Edit.
  5. For each Network interface, ensure that External IP is set to None.
  6. Click Done, then click Save.

CLI Command

  1. Describe the instance properties:
    gcloud compute instances describe INSTANCE_NAME --zone=ZONE
  2. Identify the access config name that contains the external IP address. This access
    config appears in the following format:

```networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: External NAT natIP: 130.211.181.55 type: ONE_TO_ONE_NAT


2. To delete the access config, use the following command:

gcloud compute instances delete-access-config INSTANCE_NAME --zone=ZONE --access-config-name "ACCESS_CONFIG_NAME"


> 📘 Note
> 
> In the above example the **ACCESS_CONFIG_NAME** is **External NAT**. 
> 
> The name of your access config may be different.

# Fix - Buildtime 

## Terraform

- **Resource**: google_compute_instance
- **Field**: access_config

```go
resource "google_compute_instance" "example" {
  name         = "test"
  machine_type = "n1-standard-1"
  zone         = "us-central1-a"
  boot_disk {}
-  access_config {
    ...
    }
}