More Info:

Ensure Cloud CDN regional backend services have CDN enabled.

Risk Level

High

Address

Operational Maturity, Performance Efficiency, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud CDN Global Backend Services CDN Should Be Enabled” for GCP using GCP console, follow the below steps:
  1. Login to GCP console and go to the Cloud CDN page.
  2. Select the project that you want to enable Global Backend Services CDN for.
  3. Click on the “Create” button to create a new backend service.
  4. Give the backend service a name and select the appropriate backend type.
  5. Configure the backend service by specifying the backend type, protocol, and port.
  6. Click on the “Create” button to create the backend service.
  7. Once the backend service is created, go to the “Global” tab and click on the “Add backend” button.
  8. Select the backend service that you just created from the dropdown list.
  9. Click on the “Add” button to add the backend service to the global backend.
  10. Finally, click on the “Enable” button to enable Global Backend Services CDN for the project.
After following these steps, the misconfiguration “Cloud CDN Global Backend Services CDN Should Be Enabled” should be remediated for GCP using GCP console.

To remediate the misconfiguration of “Cloud CDN Global Backend Services CDN Should Be Enabled” in GCP using GCP CLI, follow these steps:
  1. Open the Google Cloud Console and select the project where the misconfiguration exists.
  2. Open the Cloud Shell by clicking on the icon in the top right corner of the console.
  3. In the Cloud Shell, run the following command to enable Cloud CDN: 
    gcloud services enable --project [PROJECT_ID] compute.googleapis.com
    Replace [PROJECT_ID] with the ID of your GCP project.
  4. Next, create a backend service by running the following command: 
    gcloud compute backend-services create [BACKEND_SERVICE_NAME] \
--global \
--enable-cdn \
--project [PROJECT_ID]
    Replace [BACKEND_SERVICE_NAME] with a name for your backend service and [PROJECT_ID] with the ID of your GCP project.
  5. Add the backend service to your load balancer by running the following command: 
    gcloud compute backend-services add-backend [BACKEND_SERVICE_NAME] \
--balancing-mode=UTILIZATION \
--max-utilization=0.8 \
--capacity-scaler=1 \
--instance-group=[INSTANCE_GROUP_NAME] \
--instance-group-zone=[ZONE] \
--project [PROJECT_ID]
    Replace [BACKEND_SERVICE_NAME] with the name of your backend service, [INSTANCE_GROUP_NAME] with the name of your instance group, [ZONE] with the zone where your instance group is located, and [PROJECT_ID] with the ID of your GCP project.
  6. Finally, update your load balancer to use the backend service by running the following command: 
    gcloud compute target-http-proxies update [TARGET_PROXY_NAME] \
--backend-service=[BACKEND_SERVICE_NAME] \
--project [PROJECT_ID]
    Replace [TARGET_PROXY_NAME] with the name of your target HTTP proxy and [BACKEND_SERVICE_NAME] with the name of your backend service.
By following these steps, you have enabled Cloud CDN and created a backend service for your GCP project, and added it to your load balancer. This will remediate the misconfiguration of “Cloud CDN Global Backend Services CDN Should Be Enabled”.
To remediate the misconfiguration of Cloud CDN Global Backend Services CDN should be enabled in GCP using python, follow these steps:
  1. Import the required libraries:
from googleapiclient.discovery import build
from google.oauth2 import service_account
  1. Set up the credentials and define the project ID:
creds = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json'
)

project_id = 'your-project-id'
  1. Create a client object for the Compute Engine API:
compute = build('compute', 'v1', credentials=creds)
  1. Define the name of the backend service and the URL map:
backend_service_name = 'your-backend-service-name'
url_map_name = 'your-url-map-name'
  1. Get the current configuration of the backend service:
backend_service = compute.backendServices().get(
    project=project_id,
    backendService=backend_service_name
).execute()
  1. Check if Cloud CDN is already enabled for the backend service:
if 'cdnPolicy' in backend_service and backend_service['cdnPolicy']['cacheKeyPolicy']['includeProtocol'] == True:
    print('Cloud CDN is already enabled for the backend service.')
    exit()
  1. If Cloud CDN is not enabled, enable it by updating the backend service:
backend_service['cdnPolicy'] = {
    'cacheKeyPolicy': {
        'includeProtocol': True
    }
}

compute.backendServices().update(
    project=project_id,
    backendService=backend_service_name,
    body=backend_service
).execute()

print('Cloud CDN has been enabled for the backend service.')
  1. Finally, update the URL map to use the backend service:
url_map = compute.urlMaps().get(
    project=project_id,
    urlMap=url_map_name
).execute()

url_map['defaultService'] = f'/compute/v1/projects/{project_id}/global/backendServices/{backend_service_name}'

compute.urlMaps().update(
    project=project_id,
    urlMap=url_map_name,
    body=url_map
).execute()

print(f'The URL map {url_map_name} has been updated to use the backend service {backend_service_name}.')
By following these steps, you can remediate the misconfiguration of Cloud CDN Global Backend Services CDN should be enabled in GCP using python.

Additional Reading: