Any way to restrict external(Public) IP in GCP at Subnet . It seems if we want to create a VM without an external IP, we have to select External IP- None during VM creation. Can't we set External IP- None at Subnet configuration and any host created in this subnet will not be having a public/external IP
You can set up an organization policy constraint in order to define allowed external IPs for VM instances. With this constraint your could restrict configuration of external IPs to a list of instances. Leaving the allowedValues list empty will make no longer possible the configuration of external IP addresses to VMs within the organization projects. Find all the relevant information on the following section of the documentation.
If you find the policy constraint approach to be too restrictive (notice that many other products that rely on VMs will be affected) another strategy that you could set in place would be to automate the deployments of VMs with the gcloud compute instances create command and take advantage of the --no-address flag in order to avoid assigning external IP addresses to the instances.