Skip to content

Instances should not have public IP addresses

Default Severity: high

Explanation

Instances should not be publicly exposed to the internet

Possible Impact

Direct exposure of an instance to the public internet

Suggested Resolution

Remove public IP

Insecure Example

The following example will fail the google-compute-no-public-ip check.

 resource "google_compute_instance" "bad_example" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   network_interface {
     network = "default"

     access_config {
       // Ephemeral IP
     }
   }
 }

Secure Example

The following example will pass the google-compute-no-public-ip check.

 resource "google_compute_instance" "good_example" {
   name         = "test"
   machine_type = "e2-medium"
   zone         = "us-central1-a"

   tags = ["foo", "bar"]

   boot_disk {
     initialize_params {
       image = "debian-cloud/debian-9"
     }
   }

   // Local SSD disk
   scratch_disk {
     interface = "SCSI"
   }

   network_interface {
     network = "default"
   }
 }