Cloud CDN Regional Backend Services Failover Policy Should Be Enabled

More Info:

Ensure Cloud CDN regional backend services have failover policy enabled.

Risk Level

High

Address

Operational Maturity, Performance Efficiency, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI, follow the below steps:

Open the GCP Cloud Shell in the GCP Console.
Run the following command to enable the failover policy for the regional backend services in Cloud CDN:
```
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --failover-policy=ALL_OR_FAIL
```
Replace [BACKEND_SERVICE_NAME] with the name of the backend service that you want to update.
Verify that the failover policy has been enabled by running the following command:
```
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] | grep failoverPolicy
```
This command should output the failover policy for the backend service. Note: If the output shows that the failover policy is not enabled, you may need to wait a few minutes for the changes to propagate.
Repeat steps 2 and 3 for all the regional backend services in Cloud CDN. Note: You can list all the regional backend services in Cloud CDN by running the following command:
```
gcloud compute backend-services list --filter="loadBalancingScheme=EXTERNAL && protocol=HTTP && backends.service=cdn-backend"
```
This command lists all the regional backend services that are used by Cloud CDN. Replace cdn-backend with the name of the backend service that you want to filter.

By following these steps, you can remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” in GCP using Python, follow these steps:

Import the necessary libraries:

from googleapiclient.discovery import build
from google.oauth2 import service_account

Set up credentials:

credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')

Create a client object for the Cloud CDN API:

cdn = build('cdn', 'v1beta2', credentials=credentials)

Get the list of existing backend services:

project_id = 'your-project-id'
backend_services = cdn.projects().backendServices().list(project=project_id).execute()

For each backend service, check if the failover policy is enabled. If not, enable it:

for backend_service in backend_services['items']:
    backend_service_name = backend_service['name']
    backend_service_region = backend_service['region']
    backend_service_config = cdn.projects().backendServices().get(project=project_id, backendService=backend_service_name).execute()
    if 'failoverPolicy' not in backend_service_config:
        failover_policy = {
            'disableConnectionDrainOnFailover': False,
            'dropTrafficIfUnhealthy': False,
            'failoverRatio': 0.5
        }
        cdn.projects().backendServices().patch(project=project_id, backendService=backend_service_name, body={'failoverPolicy': failover_policy}).execute()

Verify that the failover policy has been enabled for all backend services.

This code will enable the failover policy for all backend services in your GCP project. You can run this code periodically to ensure that the failover policy remains enabled for all backend services.

Additional Reading:

https://cloud.google.com/cdn/docs/overview

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Cloud CDN Regional Backend Services Failover Policy Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: