Any way to restrict external(Public) IP
in GCP
at Subnet
. It seems if we want to create a VM
without an external IP
, we have to select External IP- None
during VM
creation. Can't we set External IP- None
at Subnet configuration and any host created in this subnet will not be having a public/external IP
Creating VMs without public IP in GCP
5.8k Views Asked by Zama Ques At
2
There are 2 best solutions below
0

For those who are looking for a per-instance solution using Google's GCP REST API, just be sure there's no accessConfigs
in your networkInterfaces
section of your request's JSON body:
"machineType": "zones/{my_zone}/machineTypes/{my_machine_type}",
"name": "my_instance_name",
"networkInterfaces": [{
"network": "my_vpc_network_ref",
"subnetwork": "my_subnet_ref"
# Don't include these commented lines if you only want a private IP
# "accessConfigs": [{
# "name": "External NAT",
# "type": "ONE_TO_ONE_NAT"
# }]
}],
All the parts starting with "my" are placeholders/variables.
I realize the actual question was about how to do this at the subnet level, and the answers provided help do this at the Organization or Project level, but the title of the question didn't specify what level we forbade private IPs, and it's not clear from the GCP documentation what the equivalent REST API call is for the --no-address
flag, so I wanted to document it here for future coders.
You can set up an organization policy constraint in order to define allowed external IPs for VM instances. With this constraint your could restrict configuration of external IPs to a list of instances. Leaving the
allowedValues
list empty will make no longer possible the configuration of external IP addresses to VMs within the organization projects. Find all the relevant information on the following section of the documentation.If you find the policy constraint approach to be too restrictive (notice that many other products that rely on VMs will be affected) another strategy that you could set in place would be to automate the deployments of VMs with the gcloud compute instances create command and take advantage of the --no-address flag in order to avoid assigning external IP addresses to the instances.