Skip to content

gcp-gce-public-ip

Ensure that Compute instances do not have public IP addresses

In order to limit the attack surface of your infrastructure, it is recommended to create compute instances that do not have any public IP addresses. This will ensure that only the traffic you specifically route through a Load Balancer will be received. If you are using Google Kubernetes Engine (GKE), this will done through the creation of a Private Cluster. Egress traffic from your instances to the Internet will then require to go through a Google Cloud NAT instance.

Examples

Insecure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  access_config {
      # Will provision an ephemeral external / public IP address
  }
}

Secure Example

resource "google_compute_instance" "default" {
  name         = "test"
  machine_type = "e2-medium"
  zone         = "us-central1-a"

  # Omitting the `access_config` attribute will not provision any public IP
}

More information