Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Public IP Address Exposure

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-008

Ensure that your Oracle Cloud Infrastructure (OCI) compute instances are not configured with public IP addresses, except where explicitly required by the business. Assigning public IP addresses to OCI compute instances increases the attack surface, making it harder to manage and secure the application environment.

Security

Directly assigning public IPs to Oracle Cloud Infrastructure (OCI) compute instances creates security risks due to several factors, including an increased attack surface, potential security vulnerabilities, limited network segmentation, and challenges in management and scalability. Each public IP can serve as an entry point for attackers, making it easier for them to exploit weaknesses or move laterally within the network.

Audit

To determine if your OCI compute instances are configured with public IP addresses, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Details tab and check the Public IP address attribute value, listed under Instance access. If the Public IP address value is set to a public IPv4 address, the selected Oracle Cloud Infrastructure (OCI) compute instance is using a public IP address that is reachable from the Internet.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance list-vnics command (Windows/macOS/Linux) with the ID of the compute instance that you want to examine as the identifier parameter and custom output filters to describe the active Virtual Network Interface Cards (VNICs) attached to the selected instance. A VNIC connects your instance to a Virtual Cloud Network (VCN) and endpoints in and outside the VCN: 

oci compute instance list-vnics
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

06 The command output should return an array that contains the VNICs attached to your instance: 

[
	{
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"defined-tags": {
			"Oracle-Tags": {
				"CreatedBy": "user@domain.com",
				"CreatedOn": "2025-10-15T12:10:56.436Z"
			}
		},
		"display-name": "vnic1234123412341234",
		"freeform-tags": {},
		"hostname-label": null,
		"id": "ocid1.vnic.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"ipv6-addresses": null,
		"is-primary": true,
		"lifecycle-state": "AVAILABLE",
		"mac-address": "02:00:17:01:CC:78",
		"nsg-ids": [],
		"private-ip": "10.0.0.15",
		"public-ip": "192.9.166.92",
		"route-table-id": null,
		"security-attributes": {},
		"skip-source-dest-check": false,
		"subnet-id": "ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
		"time-created": "2025-10-15T12:11:01.455000+00:00",
		"vlan-id": null
	}
]

Check the "public-ip" property value for each VNIC attached to your instance, returned by the compute instance list-vnics command output. If the "public-ip" value is set to a public IPv4 address, as shown in the example above, the selected Oracle Cloud Infrastructure (OCI) compute instance is using a public IP address that is reachable from the Internet.

Remediation / Resolution

To disable the public IP address assignment for your existing Oracle Cloud Infrastructure (OCI) compute instances, you must re-create your instances by performing the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to re-create and collect all the relevant configuration information.

06 After the configuration information is successfully collected, choose Actions from the instance top menu, select More actions, and choose Create custom image. Provide a unique name for your custom image in the Name box, then choose Create custom image to create the image.

07 Once the new image is ready, use it to relaunch your OCI compute instance without assigning a public IP address. In the left navigation panel, under Overview, select Instances, choose Create instance, and perform the following actions to launch a new compute instance:

  1. For Basic information, provide the following information:
    1. For Name, provide a unique name for the new instance.
    2. For Create in compartment, select the appropriate OCI compartment.
    3. For Placement, ensure that the required Availability domain is selected. Choose Advanced options and select the correct Capacity type for the new instance (must match the capacity type of the source instance).
    4. For Image and shape, perform the following operations:
      1. Choose Change image under Image, select My images, choose Custom images, select the custom OS image created in step no. 6, and choose Select image.
      2. Choose Change shape under Shape, select the correct instance shape/instance type (must match the shape of the source instance), and choose Select shape.
      3. Choose Advanced options and configure the management, availability, and Oracle Cloud Agent settings for the new instance (must match the configuration of the source instance).
    5. Choose Next to continue the setup.
  2. For Security, choose to enable either Shielded instances or Confidential computing but not both (must match the security configuration of the source instance). Choose Next to continue the setup process.
  3. For Networking, provide the following information:
    1. For VNIC name, provide a name for the new Virtual Network Interface Card (VNIC).
    2. For Primary network, choose Select existing virtual cloud network, and select an existing Virtual Cloud Network (must match the network configuration of the source instance).
    3. For Subnet, choose Select existing subnet, and select an existing VCN subnet (must match the network configuration of the source instance).
    4. For Private IPv4 address, assign a private IPv4 address for your instance.
    5. Switch off the Automatically assign public IPv4 address button to launch your new OCI compute instance without a public IP address.
    6. Choose Advanced options and configure the advanced network and DNS settings for the new instance (must match the network configuration of the source instance).
    7. For Add SSH keys, choose whether to generate a new SSH key pair or upload a public key that you already have.
    8. Choose Next to continue the setup.
  4. For Storage, provide the following information:
    1. For Boot volume, specify the boot volume size and configure encryption in transit and encryption of data at rest.
    2. For Block volumes, choose whether to add one or more block volumes to your instance (must match the source instance disk configuration).
    3. Choose Next to continue.
  5. For Review, review the instance configuration information, then choose Create to launch your new Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run compute instance get command (Windows/macOS/Linux) with the ID of the compute instance that you want to re-create as the identifier parameter, to describe the configuration information available for the selected instance: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data'

02 The command output should return the requested configuration information: 

{
	"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"display-name": "cc-project5-compute-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-3",
	"freeform-tags": {},
	"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"image-id": "ocid1.image.oc1.ap-sydney-1.aaaaaaaa3eoeyy4p5pmdwnmkvre6vw5ng3rsp6i6t7uhmu24reuuxvb5scva",
	"instance-options": {
		"are-legacy-imds-endpoints-disabled": true
	},
	"launch-options": {
		"boot-volume-type": "PARAVIRTUALIZED",
		"firmware": "UEFI_64",
		"is-consistent-volume-naming-enabled": true,
		"is-pv-encryption-in-transit-enabled": false,
		"network-type": "PARAVIRTUALIZED",
		"remote-data-volume-type": "PARAVIRTUALIZED"
	},
	"licensing-configs": null,
	"lifecycle-state": "RUNNING",
	"metadata": {},
	"placement-constraint-details": null,
	"platform-config": {
		"is-measured-boot-enabled": false,
		"is-memory-encryption-enabled": false,
		"is-secure-boot-enabled": true,
		"is-symmetric-multi-threading-enabled": true,
		"is-trusted-platform-module-enabled": false,
		"type": "AMD_VM"
	},

	...

	"preemptible-instance-config": null,
	"region": "ap-sydney-1",
	"security-attributes": {},
	"security-attributes-state": "STABLE",
	"shape": "VM.Standard.E4.Flex",
	"shape-config": {
		"baseline-ocpu-utilization": null,
		"gpu-description": null,
		"gpus": 0,
		"local-disk-description": null,
		"local-disks": 0,
		"local-disks-total-size-in-gbs": null,
		"max-vnic-attachments": 2,
		"memory-in-gbs": 16.0,
		"networking-bandwidth-in-gbps": 1.0,
		"ocpus": 1.0,
		"vcpus": 2
	},
	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-source-image-filter-details": null,
		"kms-key-id": null,
		"source-type": "image"
	},
	"system-tags": {},
	"time-created": "2025-06-16T12:10:56.939000+00:00",
	"time-maintenance-reboot-due": null
}

03 Run compute image create command (Windows/macOS/Linux) to create an OS image from your source Oracle Cloud Infrastructure (OCI) compute instance: 

oci compute image create
	--display-name 'cc-project5-instance-image'
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data.id'

04 The command output should return the ID of the new OS image: 

"ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"

05 Run compute instance launch command (Windows/macOS/Linux) to create a new Oracle Cloud Infrastructure (OCI) compute instance from the custom OS image provisioned in the previous steps. Set the --assign-public-ip to false to launch your new compute instance without a public IP address: 

oci compute instance launch
	--display-name 'cc-new-project5-instance'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--availability-domain 'ABCD:AP-SYDNEY-1-AD-1'
	--subnet-id 'ocid1.subnet.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234'
	--image-id 'ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--shape 'VM.Standard.E4.Flex'
	--shape-config '{"ocpus":1.0}'
	--assign-public-ip false
	--query 'data'

06 The command output should return the configuration information available for the new OCI compute instance: 

{
	"agent-config": {
		"are-all-plugins-disabled": false,
		"is-management-disabled": false,
		"is-monitoring-disabled": false,
		"plugins-config": null
	},
	"availability-config": {
		"is-live-migration-preferred": null,
		"recovery-action": "RESTORE_INSTANCE"
	},
	"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
	"capacity-reservation-id": null,
	"cluster-placement-group-id": null,
	"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"dedicated-vm-host-id": null,
	"display-name": "cc-new-project5-instance",
	"extended-metadata": {},
	"fault-domain": "FAULT-DOMAIN-3",
	"freeform-tags": {},
	"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234",
	"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"instance-configuration-id": null,
	"instance-options": {
		"are-legacy-imds-endpoints-disabled": true
	},
	"ipxe-script": null,
	"is-ai-enterprise-enabled": null,
	"is-cross-numa-node": false,
	"launch-mode": "PARAVIRTUALIZED",
	"launch-options": {
		"boot-volume-type": "PARAVIRTUALIZED",
		"firmware": "UEFI_64",
		"is-consistent-volume-naming-enabled": true,
		"is-pv-encryption-in-transit-enabled": false,
		"network-type": "PARAVIRTUALIZED",
		"remote-data-volume-type": "PARAVIRTUALIZED"
	},
	"licensing-configs": null,
	"lifecycle-state": "PROVISIONING",
	"metadata": {},
	"placement-constraint-details": null,
	"platform-config": null,
	"preemptible-instance-config": null,
	"region": "ap-sydney-1",
	"security-attributes": {},
	"security-attributes-state": "STABLE",
	"shape": "VM.Standard.E4.Flex",
	"shape-config": {
		"baseline-ocpu-utilization": null,
		"gpu-description": null,
		"gpus": 0,
		"local-disk-description": null,
		"local-disks": 0,
		"local-disks-total-size-in-gbs": null,
		"max-vnic-attachments": 2,
		"memory-in-gbs": 16.0,
		"networking-bandwidth-in-gbps": 1.0,
		"ocpus": 1.0,
		"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
		"vcpus": 2
	},
	"source-details": {
		"boot-volume-size-in-gbs": null,
		"boot-volume-vpus-per-gb": null,
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-source-image-filter-details": null,
		"kms-key-id": null,
		"source-type": "image"
	},
	"system-tags": {},
	"time-created": "2025-10-14T20:37:29.527000+00:00",
	"time-maintenance-reboot-due": null
}

References

Publication date Nov 10, 2025

Related OCI-Compute rules