More Info:

Ensure Cloud CDN regional backend services have failover policy enabled.

Risk Level

High

Address

Operational Maturity, Performance Efficiency, Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” for GCP using GCP console, please follow the below steps:
  1. Open the GCP console and navigate to the Cloud CDN page.
  2. Select the CDN endpoint you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Backend services” section and click on the “Edit” button next to it.
  5. Click on the “Advanced” tab.
  6. Under “Failover policy”, select the “Enabled” option.
  7. Click on the “Save” button to save the changes.
By enabling the failover policy, the CDN endpoint will automatically switch to a backup backend service if the primary service becomes unavailable. This will ensure that your users continue to have access to your content even in the event of a backend service failure.

To remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI, follow the below steps:
  1. Open the GCP Cloud Shell in the GCP Console.
  2. Run the following command to enable the failover policy for the regional backend services in Cloud CDN: 
    gcloud compute backend-services update [BACKEND_SERVICE_NAME] --failover-policy=ALL_OR_FAIL
    Replace [BACKEND_SERVICE_NAME] with the name of the backend service that you want to update.
  3. Verify that the failover policy has been enabled by running the following command: 
    gcloud compute backend-services describe [BACKEND_SERVICE_NAME] | grep failoverPolicy
    This command should output the failover policy for the backend service. Note: If the output shows that the failover policy is not enabled, you may need to wait a few minutes for the changes to propagate.
  4. Repeat steps 2 and 3 for all the regional backend services in Cloud CDN. Note: You can list all the regional backend services in Cloud CDN by running the following command: 
    gcloud compute backend-services list --filter="loadBalancingScheme=EXTERNAL && protocol=HTTP && backends.service=cdn-backend"
    This command lists all the regional backend services that are used by Cloud CDN. Replace cdn-backend with the name of the backend service that you want to filter.
By following these steps, you can remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud CDN Regional Backend Services Failover Policy Should Be Enabled” in GCP using Python, follow these steps:
  1. Import the necessary libraries:
from googleapiclient.discovery import build
from google.oauth2 import service_account
  1. Set up credentials:
credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account.json')
  1. Create a client object for the Cloud CDN API:
cdn = build('cdn', 'v1beta2', credentials=credentials)
  1. Get the list of existing backend services:
project_id = 'your-project-id'
backend_services = cdn.projects().backendServices().list(project=project_id).execute()
  1. For each backend service, check if the failover policy is enabled. If not, enable it:
for backend_service in backend_services['items']:
    backend_service_name = backend_service['name']
    backend_service_region = backend_service['region']
    backend_service_config = cdn.projects().backendServices().get(project=project_id, backendService=backend_service_name).execute()
    if 'failoverPolicy' not in backend_service_config:
        failover_policy = {
            'disableConnectionDrainOnFailover': False,
            'dropTrafficIfUnhealthy': False,
            'failoverRatio': 0.5
        }
        cdn.projects().backendServices().patch(project=project_id, backendService=backend_service_name, body={'failoverPolicy': failover_policy}).execute()
  1. Verify that the failover policy has been enabled for all backend services.
This code will enable the failover policy for all backend services in your GCP project. You can run this code periodically to ensure that the failover policy remains enabled for all backend services.

Additional Reading: