Improve instance security by removing broad public IP ranges from authorized networks
This page describes how to view and implement recommendations about when to removethe IP address range of0.0.0.0/0 from authorized networks.Instances with0.0.0.0/0 in authorized networks accept connections from all internet IPs. Thisrecommender is calledRemove broad public access.
Every day, this recommenderproactively detects instances that have broad public IP address ranges and provides insights and recommendations to improveyour instance security. You can view insights and detailed recommendations about instances that have public IP addressranges enabled and are vulnerable to security breaches by using the Google Cloud console,gcloud CLI, or theRecommender API.
Before you begin
Ensure that youenable the Recommender API.
Required roles and permissions
To get the permissions to view and work with insights and recommendations, ensure that you have the requiredIdentity and Access Management (IAM) roles.
| Tasks | Roles |
|---|---|
| View recommendations | recommender.cloudsqlViewer orcloudsql.admin. |
| Apply recommendations | cloudsql.editor orcloudsql.admin. |
List the recommendations
To list the recommendations, follow these steps:
Console
To list recommendations about instance security, follow these steps:
Go to theCloud SQL Instances page.
View theIssues column in the instance table.
Alternatively, follow these steps:
Go to theActive Assist.
For more information, seeExploring recommendations.
In theAll recommendations card, clickSecurity.
gcloud
Run thegcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \--project=PROJECT_ID \--location=LOCATION \--recommender=google.cloudsql.instance.SecurityRecommender \--filter=recommenderSubtype=REMOVE_BROAD_PUBLIC_IP_RANGE
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
API
Call therecommendations.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REMOVE_BROAD_PUBLIC_IP_RANGE
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
After listing the recommendations, click a recommendation.The recommendation panel appears, which contains insights and detailed recommendations.
gcloud
Run thegcloud recommender insights list command as follows:
gcloud recommender insights list \--project=PROJECT_ID \--location=LOCATION \--insight-type=google.cloudsql.instance.SecurityInsight \--filter=insightSubtype=BROAD_AUTHORIZED_NETWORKS
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
API
Call theinsights.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=BROAD_AUTHORIZED_NETWORKS
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
Apply the recommendation
Console
To implement this recommendation, clickManage authorized networks and then use one of the following options:
- Remove broad IP addresses from authorized networks. For more information, seeAuthorize with authorized networks.
- UseCloud SQL Auth Proxy andCloud SQL Language Connectors.
gcloud
To implement this recommendation, use one of the following options:
- Remove broad IP addresses from authorized networks. For more information, seeAuthorize with authorized networks.
- UseCloud SQL Auth Proxy andCloud SQL Language Connectors.
API
To implement this recommendation, use one of the following options:
- Remove broad IP addresses from authorized networks. For more information, seeAuthorize with authorized networks.
- UseCloud SQL Auth Proxy andCloud SQL Language Connectors.
What's next
- Authorize with authorized networks
- Cloud SQL Auth Proxy
- Cloud SQL Language Connectors
- Google Cloud recommenders
- Blog: Maximize your Cloud ROI
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.