Check for Cloud SQL Database Instances with Public IPs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Second-Generation Cloud SQL database instances are configured to use private IP addresses instead of public IPs.

Security

By default, each Cloud SQL database instance is configured with a public IP address. To reduce the application`s attack surface, Cloud SQL databases should have only private IPs attached. Private IPs provide improved cloud network security and lower latency for your database applications.


Audit

To determine if your Second-Generation SQL database instances are using public IP addresses, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Choose the Cloud SQL database instance that you want to examine and check the Public IP address and Private IP address columns for any public and/or private IPv4 addresses assigned to the selected resource. If the instance has a public IP address assigned but no private IP address configured, the selected Google Cloud SQL database instance is configured to use public IP addresses only.

05 Repeat step no. 4 to check the public and private IP status for other Cloud SQL instances created for the selected project.

06 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-mobile-project-123123
cc-ml-app-project-123123

03 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each Second-Generation Cloud SQL database instance provisioned for the selected Google Cloud project:

gcloud sql instances list
	--project cc-mobile-project-123123
	--filter='backendType:SECOND_GEN'
	--format="(NAME)"

04 The command output should return the requested database instance name(s):

NAME
cc-mobile-db-instance
cc-backend-db-instance

05 Run sql instances describe command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to examine as identifier parameter and custom output filters to describe the public and/or private IPv4 addresses associated with the selected database instance:

gcloud sql instances describe cc-mobile-db-instance
	--format=json | jq '.ipAddresses[]'

06 The command output should return the requested IPv4 configuration details:

{
  "ipAddress": "xxx.xxx.xxx.xxx",
  "type": "PRIMARY"
}

If the sql instances describe command output returns an IP configuration object that contains only an IPv4 address with the "type" property set to "PRIMARY", as shown in the example above, the selected Google Cloud SQL database instance is configured to use public IP addresses only.

07 Repeat step no. 5 and 6 to verify other Cloud SQL database instances for public IPs, available within the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To reconfigure your Google Cloud SQL database instances to use private IP addresses instead of public IPs, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name (ID) of the database instance that you want to reconfigure.

05 In the navigation panel, select Connections to access the connectivity configuration information available for the selected database instance.

06 In the Connectivity section, perform the following operations:

  1. Select Private IP configuration checkbox to initiate the private IP address setup process.
  2. Inside Enable Service Networking API box, select ENABLE API to enable Google's Service Networking API for private IP connectivity. This is a one-time enablement per GCP project, and may take a few minutes to complete.
  3. Select the name of the Google Cloud VPC network that you want to use for private IP connectivity, from the Associated networking dropdown list.
  4. Under Managed services network connection, select Use an automatically allocated IP range option to automatically allocate an IP range of prefix-length 20 within the selected VPC network.
  5. Click Allocate and connect to assign a new private IPv4 address to the selected Cloud SQL database instances.
  6. Deselect Public IP checkbox to deallocate the public IP address. Removing the public IPv4 allocated for the selected instance may break some of the applications connected to the database. Before deallocate the public IP, make sure that you update your applications configuration to reference the new private IP address.
  7. Click Save to apply the changes.

07 Repeat step no. 4 – 6 for other Cloud SQL instances that use public IPs for database access, available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql instances patch command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to reconfigure and the name of the appropriate VPC network as identifier parameters, to remove the instance's public IP address and assign a private IP address instead:

gcloud beta sql instances patch cc-mobile-db-instance
	--network=cc-web-stack-network
	--no-assign-ip

02 The output should return the sql instances patch command request status:

The following message will be used for the patch API method.
{"name": "cc-mobile-db-instance", "project": "cc-web-project-112233", "settings": {"ipConfiguration": {"ipv4Enabled": false, "privateNetwork": "https://compute.googleapis.com/compute/v1/projects/cc-web-project-112233/global/networks/cc-web-stack-network"}}}
Patching Cloud SQL instance...done.
Updated [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-project-112233/instances/cc-mobile-db-instance].

03 Repeat step no. 1 – 3 for other Cloud SQL instances that use public IPs for database access, provisioned for the selected project.

04 Repeat steps no. 1 – 4 for each project created within your Google Cloud account.

References

Publication date Apr 12, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Cloud SQL Database Instances with Public IPs

Risk level: Medium