Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unattached Static External IP Addresses

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)

Identify and release any unattached (unused) static external IP addresses from your Google Cloud Platform (GCP) project in order to lower the cost of your cloud bill. A static external IP address is an IP address that is reserved for your GCP project until you decide to release it. Google Cloud considers a static external IP address as in use if it's associated with a virtual machine (VM) instance, whether the VM instance is running or stopped. If the instance is deleted or if the IP address is dissociated from the instance, Google Cloud considers the static IP address as not in use.

Security

Google Cloud charges for static IP addresses that are not attached to virtual machines (VM) instances or load balancers. If you reserve a static external IP address and do not assign it to a resource such as a VM instance or a forwarding rule, you will be charged at a higher rate than for static and ephemeral external IP addresses that are in use. To optimize cloud service usage charges and reduce your monthly Google Cloud bill, remove any unused static external IP addresses from your cloud account.

Audit

To identify any unattached static external IP addresses within your GCP projects, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, select IP addresses to access the list of external IP addresses provisioned for the selected GCP project.

05 Select the EXTERNAL IP ADDRESSES tab, click inside the Filter box and set Type to Static to list only the static external IP addresses reserved for the selected project.

06 Choose the external IP address that you want to examine and check the association status available in the In use by column. If the association status is set to None, the selected static external IP address is reserved but is not being used, therefore, the IP address is not associated with a cloud resource and can be safely removed from your Google Cloud project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of the Google Cloud Platform (GCP) projects currently available in your cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-12341234
cc-web-mobile-stack-12341234

03 Run compute addresses list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to list the name of each static external IP address available within the selected project: 

gcloud compute addresses list
  --project cc-project5-stack-12341234
  --filter="addressType:EXTERNAL"
  --format="table(name,region)"

04 The command output should return the name(s) of the external IP address(es) created for the specified project: 

NAME: cc-production-instance-static-ip
REGION: us-central1

NAME: cc-project5-load-balancer-static-ip
REGION: us-central1

05 Run compute addresses describe command (Windows/macOS/Linux) using the name of the static external IP address that you want to examine as the identifier parameter, to describe the association status set for the selected external IP address: 

gcloud compute addresses describe cc-production-instance-static-ip
  --region=us-central1 
  --format="value(status)"

06 The command output should return the requested status (IN_USE for used and RESERVED for unused): 

RESERVED

If the compute addresses describe command output returns RESERVED, the selected static external IP address is reserved but is not being used, therefore, the IP address is not associated with a cloud resource and can be safely removed from your Google Cloud project.

07 Repeat steps no. 5 and 6 for each IP address provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

If a static external IP address is no longer in use, you can release the address to stop incur charges for it and return it to the general IP pool for other Compute Engine users. To release (delete) a static external IP address, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to VPC Network console available at https://console.cloud.google.com/networking.

04 In the navigation panel, select IP addresses to access the list of external IP addresses provisioned for the selected GCP project.

05 Select the EXTERNAL IP ADDRESSES tab, click inside the Filter box and set Type to Static to list only the static external IP addresses reserved for the selected project.

06 Select the static external IP address that you want to delete and choose RELEASE STATIC ADDRESS.

07 In the confirmation box, choose RELEASE to remove the specified external IP address from your GCP project.

08 Repeat steps no. 2 – 7 for each project created within your Google Cloud account.

Using GCP CLI

01 To avoid unnecessary charges on your Google Cloud bill, you can release (delete) unused static external IP addresses. To release an external IP address from your GCP project, run compute addresses delete command (Windows/macOS/Linux): 

gcloud compute addresses delete cc-production-instance-static-ip
  --region=us-central1
  --project cc-project5-stack-12341234

02 Type Y and press Enter to confirm the IP resource removal: 

The following addresses will be deleted:
  - [cc-production-instance-static-ip] in [us-central1]
Do you want to continue (Y/n)?  Y

03 The command output should return the full URL of the deleted IP address: 

Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-12341234/regions/us-central1/addresses/cc-production-instance-static-ip].

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 6, 2024

Related VPC rules