Improve instance security by disabling public IP

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to view and implement recommendations aboutdisabling public IP access for instances that violate theconstraints/sql.restrictPublicIp organization policy enforced by youradministrator. This policy restricts the configuration of public IP on your instances. The policy violation occurs when public IP access already exists for an instance at the time of enforcement of the constraint. Thisrecommender is calledDisable public IP.

Every day, this recommender detects the instances that violate theconstraints/sql.restrictPublicIp organization policy and provides insights and recommendations to improveyour instance security. You can view insights and detailed recommendations about these instances by using the Google Cloud console,gcloud CLI, or theRecommender API.

For more information about organization policies, seeCloud SQL organization policies.

Before you begin

Ensure that youenable the Recommender API.

Required roles and permissions

To get the permissions to view and work with insights and recommendations, ensure that you have the requiredIdentity and Access Management (IAM) roles.

TasksRoles
View recommendationsrecommender.cloudsqlViewer orcloudsql.admin.
Apply recommendationscloudsql.editor orcloudsql.admin.
For more information about IAM roles, seeIAM basic and predefined roles reference andManage access to projects, folders, and organizations.

List the recommendations

To list the recommendations, follow these steps:

Console

To list recommendations about instance security, follow these steps:

  1. Go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. View theIssues column in the instance table.

Alternatively, follow these steps:

  1. Go to theRecommendation Hub.

    Go to the Recommendation Hub

    For more information, seeExploring recommendations.

  2. In theAll recommendations card, clickSecurity.

gcloud

Run thegcloud recommender recommendations list command as follows:

gcloud recommender recommendations list \--project=PROJECT_ID \--location=LOCATION \--recommender=google.cloudsql.instance.SecurityRecommender \--filter=recommenderSubtype=DISABLE_PUBLIC_IP_TO_MEET_ORG_POLICY

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such as us-central1.

API

Call therecommendations.list method as follows:

GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=DISABLE_PUBLIC_IP_TO_MEET_ORG_POLICY

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such asus-central1.

View insights and detailed recommendations

To view insights and detailed recommendations, follow these steps:

Console

After listing the recommendations, click a recommendation.The recommendation panel appears, which contains insights and detailed recommendations.

gcloud

Run thegcloud recommender insights list command as follows:

gcloud recommender insights list \--project=PROJECT_ID \--location=LOCATION \--insight-type=google.cloudsql.instance.SecurityInsight \--filter=insightSubtype=ORG_POLICY_TO_RESTRICT_PUBLIC_IP_VIOLATED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION : A region where your instances are located, such asus-central1.

API

Call theinsights.list method as follows:

GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=ORG_POLICY_TO_RESTRICT_PUBLIC_IP_VIOLATED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such asus-central1.

Apply the recommendation

Console

To implement the recommendation, do the following:

  1. ClickManage instance IP assignment.

  2. Configure your clients to connect to the instance usingprivate IP.

  3. Disable public IPon your instance.

gcloud

To implement the recommendation, do the following:

  1. Configure your clients to connect to the instance usingprivate IP.

  2. Disable public IPon your instance.

API

To implement the recommendation, do the following:

  1. Configure your clients to connect to the instance usingprivate IP.

  2. Disable public IPon your instance.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-14 UTC.