Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses

Database Server should accept connections only from trusted Network(s)/IP(s) and restrict access from public IP addresses

Risk Level: High
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.NET.23
Covered by Spectral: Yes
Category: Database


CloudSql where ipAddresses contain [ ipAddress isPublic() ] and settings.ipConfiguration.ipv4Enabled=true should not have settings.ipConfiguration.authorizedNetworks contain [value like '']


From Portal

  1. Go to the Cloud SQL Instances page in the Google Cloud Console. https://console.cloud.google.com/sql/instances
  2. Click the instance name to open its Instance details page.
  3. Under the Configuration section click Edit configurations
  4. Under Configuration options expand the Connectivity section.
  5. Click the delete icon for the authorized network
  6. Click Save to update the instance.

From TF
Set the 'nat_ip' with trusted Network(s)/IP(s) and not

resource "google_sql_database_instance" "instance" {
	settings {
		ip_configuration {
			authorized_networks {
				value           = "AUTHORIZED_NETWORK_IP"
				name            = "NAME"

From Command Line

gcloud sql instances patch INSTANCE_NAME --authorized-networks=IP_ADDR1,IP_ADDR2...


  1. https://cloud.google.com/sql/docs/mysql/configure-ip
  2. https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks
  3. https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
  4. https://cloud.google.com/sql/docs/mysql/connection-org-policy
  5. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP GDPR Readiness
  • GCP LGPD regulation
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0