Risk Level: High
Cloud Entity: Virtual Machine Instances
CloudGuard Rule ID: D9.GCP.NET.04
Covered by Spectral: No
Category: Compute

GSL LOGIC

VMInstance should not have isPublic=true

REMEDIATION

From Portal:

Go to the VM instances page using https://console.cloud.google.com/compute/instances
Click on the instance you want to update.
Click EDIT
Click each network interface (nic) and choose None in External IP.
Save your changes.

From TF:
Remove the 'access_config' part from 'network_interface':

resource 'google_compute_instance' 'default' {
	...
	network_interface {
		...
		
		-  access_config {
			-    // Ephemeral public IP
		-    }
	}
	...
}

From Command Line:
You can delete the instance's public ip using:

gcloud compute instances delete-access-config VM_NAME --access-config-name ACCESS_CONFIG_NAME

Reference:

Virtual Machine Instances

Compute Engine instances can run the public images for Linux and Windows Server that Google provides as well as private custom images that you can create or import from your existing systems. You can also deploy Docker containers, which are automatically launched on instances running the Container-Optimized OS public image.

You can choose the machine properties of your instances, such as the number of virtual CPUs and the amount of memory, by using a set of predefined machine types or by creating your own custom machine types.

Compliance Frameworks

GCP CloudGuard Best Practices
GCP CloudGuard Network Security
GCP GDPR Readiness
GCP HIPAA
GCP ISO 27001:2013
GCP LGPD regulation
GCP NIST 800-53 Rev 4
GCP NIST 800-53 Rev 5
GCP NIST CSF v1.1
GCP PCI-DSS 3.2
GCP PCI-DSS 4.0
GCP Security Risk Management