GCP-VM-instance-with-the-external-IP-address

Severity: Medium

Description: This control ensures that VM instances do not have public ip address assigned. To reduce your attack surface, Compute instances should not have public IP addresses. Instead, instances should be configured behind load balancers, to minimize the instance's exposure to the internet.

Remediation Steps:

Perform following to remove public IP address of instance :

1. Sign in to GCP Console https://console.cloud.google.com.

2. Go to the VM instances page.

3. Click on the instance name to go the the Instance detail page.

4. Click Edit.

5. For each Network interface, ensure that External IP is set to None.

6. Click Done and then click Save.

Important:

Removing the external IP address from your Compute instance may cause some applications to stop working.

Reference:

• CIS Google Cloud Platform Foundation Benchmark v1.2.0 - 05-01-2021: Recommendation #4.9

• https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints

• https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip

• https://cloud.google.com/compute/docs/instances/connecting-to-instance

• https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances

• https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses