En esta página se describe cómo ver e implementar recomendaciones sobre cómo inhabilitar el acceso a IP públicas para las instancias que infringen la constraints/sql.restrictPublicIppolítica de organización aplicada por tu administrador. Esta política restringe la configuración de IP públicas en tus instancias. La infracción de la política se produce cuando una instancia ya tiene acceso a IP públicas en el momento de aplicar la restricción. Este recomendador se llama Inhabilitar IP pública.
Cada día, este recomendador detecta las instancias que infringen la política de la organización y proporciona estadísticas y recomendaciones para mejorar la seguridad de las instancias.constraints/sql.restrictPublicIp Puedes ver estadísticas y recomendaciones detalladas sobre estas instancias mediante la Google Cloud consola, la CLI de gcloud o la API Recommender.
Para obtener los permisos necesarios para ver y usar las estadísticas y las recomendaciones, asegúrate de que tienes los roles de gestión de identidades y accesos necesarios.
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=DISABLE_PUBLIC_IP_TO_MEET_ORG_POLICY
Haz los cambios siguientes:
PROJECT_ID: tu ID de proyecto.
LOCATION: una región en la que se encuentran tus instancias, como us-central1.
Ver estadísticas y recomendaciones detalladas
Para ver estadísticas y recomendaciones detalladas, sigue estos pasos:
Consola
Después de enumerar las recomendaciones, haz clic en una de ellas.
Aparecerá el panel de recomendaciones, que contiene estadísticas y recomendaciones detalladas.
LOCATION : una región en la que se encuentran tus instancias, como us-central1.
API
Llama al método insights.list de la siguiente manera:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=ORG_POLICY_TO_RESTRICT_PUBLIC_IP_VIOLATED
Haz los cambios siguientes:
PROJECT_ID: tu ID de proyecto.
LOCATION: una región en la que se encuentran tus instancias, como us-central1.
Aplica la recomendación
Consola
Para implementar la recomendación, haz lo siguiente:
Haz clic en Gestionar asignación de IP de instancia.
Configura tus clientes para que se conecten a la instancia mediante una IP privada.
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-11 (UTC)."],[],[],null,["\u003cbr /\u003e\n\nMySQL \\| [PostgreSQL](/sql/docs/postgres/recommender-disable-public-ip \"View this page for the PostgreSQL database engine\") \\| [SQL Server](/sql/docs/sqlserver/recommender-disable-public-ip \"View this page for the SQL Server database engine\")\n\n\u003cbr /\u003e\n\nThis page describes how to view and implement recommendations about\ndisabling public IP access for instances that violate the\n[`constraints/sql.restrictPublicIp` organization policy](/sql/docs/mysql/org-policy/org-policy#connection-constraints) enforced by your\nadministrator. This policy restricts the configuration of public IP on your instances. The policy violation occurs when public IP access already exists for an instance at the time of enforcement of the constraint. This [recommender](/recommender/docs/overview) is called **Disable public IP**.\n\nEvery day, this recommender detects the instances that violate the\n`constraints/sql.restrictPublicIp` organization policy and provides insights and recommendations to improve\nyour instance security. You can view insights and detailed recommendations about these instances by using the Google Cloud console,\n[gcloud CLI](/sdk/gcloud), or the [Recommender API](/recommender/docs/using-api).\n\nFor more information about organization policies, see [Cloud SQL organization policies](/sql/docs/mysql/org-policy/org-policy).\n\nBefore you begin\n\nEnsure that you [enable the Recommender API](/recommender/docs/enabling).\n\nRequired roles and permissions\n\nTo get the permissions to view and work with insights and recommendations,\nensure that you have the required [Identity and Access Management (IAM) roles](/sql/docs/mysql/project-access-control#roles).\n\n| Tasks | Roles |\n|-----------------------|---------------------------------------------------|\n| View recommendations | `recommender.cloudsqlViewer` or `cloudsql.admin`. |\n| Apply recommendations | `cloudsql.editor` or `cloudsql.admin`. |\n\nFor more information about IAM roles, see [IAM basic and predefined roles reference](/iam/docs/understanding-roles) and [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\nList the recommendations\n\nTo list the recommendations, follow these steps: \n\nConsole\n\nTo list recommendations about instance security, follow these steps:\n\n1. Go to the **Cloud SQL Instances** page.\n\n [Go to Cloud SQL Instances](https://console.cloud.google.com/sql/instances)\n2. View the **Issues** column in the instance table.\n\nAlternatively, follow these steps:\n\n1. Go to the **Recommendation Hub**.\n\n [Go to the Recommendation Hub](https://console.cloud.google.com/home/recommendations/)\n\n For more information, see [Exploring recommendations](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **All recommendations** card, click **Security**.\n\ngcloud\n\nRun the [`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list) command as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.cloudsql.instance.SecurityRecommender \\\n--filter=recommenderSubtype=DISABLE_PUBLIC_IP_TO_MEET_ORG_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as us-central1.\n\nAPI\n\nCall the [`recommendations.list`](/recommender/docs/reference/rest/v1beta1/projects.locations.recommenders.recommendations/list) method as follows: \n\n```\nGET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=DISABLE_PUBLIC_IP_TO_MEET_ORG_POLICY\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n\nTo view insights and detailed recommendations, follow these steps: \n\nConsole\n\nAfter listing the recommendations, click a recommendation.\nThe recommendation panel appears, which contains insights and detailed recommendations.\n\ngcloud\n\nRun the [`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list) command as follows: \n\n```\n\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.cloudsql.instance.SecurityInsight \\\n--filter=insightSubtype=ORG_POLICY_TO_RESTRICT_PUBLIC_IP_VIOLATED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\nAPI\n\nCall the [`insights.list`](/recommender/docs/reference/rest/v1beta1/projects.locations.insightTypes.insights/list) method as follows: \n\n```\n\nGET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=ORG_POLICY_TO_RESTRICT_PUBLIC_IP_VIOLATED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nApply the recommendation \n\nConsole\n\nTo implement the recommendation, do the following:\n\n1. Click **Manage instance IP assignment**.\n\n2. Configure your clients to connect to the instance using [private IP](/sql/docs/mysql/configure-private-ip).\n\n3. [Disable public IP](/sql/docs/mysql/configure-ip#disable-public)\n on your instance.\n\ngcloud\n\nTo implement the recommendation, do the following:\n\n1. Configure your clients to connect to the instance using [private IP](/sql/docs/mysql/configure-private-ip).\n\n2. [Disable public IP](/sql/docs/mysql/configure-ip#disable-public)\n on your instance.\n\nAPI\n\nTo implement the recommendation, do the following:\n\n1. Configure your clients to connect to the instance using [private IP](/sql/docs/mysql/configure-private-ip).\n\n2. [Disable public IP](/sql/docs/mysql/configure-ip#disable-public)\n on your instance.\n\nWhat's next\n\n- [Disable public IP](/sql/docs/mysql/configure-ip#disable-public)\n- [Configure private IP](/sql/docs/mysql/configure-private-ip)\n- [Google Cloud recommenders](/recommender/docs/recommenders)\n- [Blog: Maximize your Cloud ROI](https://cloud.google.com/blog/products/management-tools/active-assist-comes-to-google-cloud)"]]
