More Info:

Cloud CDN should not send any new requests to the unhealthy instance if an compute instance fails health checks

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Sure, here are the step-by-step instructions to remediate the misconfiguration of Cloud CDN Regional Backend Services not having Connection Draining in GCP using the GCP console:
  1. Open the GCP Console and log in to your account.
  2. Navigate to the Cloud CDN page by selecting the “Navigation menu > Network Services > Cloud CDN”.
  3. From the Cloud CDN page, select the name of the CDN that you want to configure the connection draining for.
  4. In the CDN details page, select the “Backend Configuration” tab.
  5. In the Backend Configuration page, select the “Edit” button located at the top of the page.
  6. In the “Edit Backend Configuration” page, scroll down to the “Backend Service” section and select the name of the backend service that you want to configure connection draining for.
  7. In the “Backend Service” page, select the “Edit” button located at the top of the page.
  8. Scroll down to the “Connection Draining” section and select the “Enable” checkbox.
  9. In the “Connection Draining Timeout” field, specify the amount of time (in seconds) that you want to wait for the existing connections to complete before shutting down the backend service. The recommended value is 300 seconds.
  10. Select the “Save” button to save the changes.
After following these steps, the connection draining feature will be enabled for the selected backend service in your GCP Cloud CDN.

To remediate the misconfiguration of Cloud CDN Regional Backend Services not having connection draining on GCP using GCP CLI, follow the below steps:
  1. Open the Google Cloud Console and go to the Cloud Shell.
  2. Run the following command to list all the backend services in your project: 
gcloud compute backend-services list
  1. Choose the backend service that you want to update and run the following command to describe the backend service:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --region [REGION]
  1. Check if the connection draining configuration is set for the backend service. If not, add the connection draining configuration by running the following command:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --region [REGION] --connection-draining-timeout [TIMEOUT_SECONDS]
Replace [BACKEND_SERVICE_NAME] with the name of the backend service you want to update, [REGION] with the region where the backend service is located, and [TIMEOUT_SECONDS] with the number of seconds that you want to set for the connection draining timeout.For example, to set the connection draining timeout to 60 seconds for a backend service named “my-backend-service” located in the “us-central1” region, run the following command:
gcloud compute backend-services update my-backend-service --region us-central1 --connection-draining-timeout 60
  1. Verify that the connection draining configuration is set for the backend service by running the following command:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --region [REGION]
Make sure that the “connectionDraining” field shows the correct value for the connection draining configuration.By following these steps, you can remediate the misconfiguration of Cloud CDN Regional Backend Services not having connection draining on GCP using GCP CLI.
To remediate the misconfiguration of Cloud CDN Regional Backend Services not having connection draining in GCP using Python, you can follow the below steps:
  1. Install the necessary Python libraries:
pip install google-cloud-cdn
pip install google-auth google-auth-oauthlib google-auth-httplib2
  1. Set up authentication:
from google.oauth2 import service_account
from google.auth.transport.requests import Request
from google.oauth2.credentials import Credentials

creds = None
creds = service_account.Credentials.from_service_account_file(
        'path/to/service_account.json')
creds = creds.with_scopes(
        ['https://www.googleapis.com/auth/cloud-platform'])
creds = creds.with_subject('[email protected]')
  1. Retrieve the list of backend services:
from google.cloud import cdn_v1beta1

client = cdn_v1beta1.CloudCDNClient(credentials=creds)
project_number = '1234567890'
location = 'us-central1'
parent = f'projects/{project_number}/locations/{location}'

backend_services = client.list_backend_services(parent=parent)
  1. For each backend service, check if connection draining is enabled:
for backend_service in backend_services:
    backend_service_name = backend_service.name
    backend_service = client.get_backend_service(name=backend_service_name)
    if backend_service.connection_draining.draining_timeout_sec == 0:
        print(f'Connection draining is not enabled for backend service {backend_service_name}')
  1. If connection draining is not enabled, update the backend service to enable it:
for backend_service in backend_services:
    backend_service_name = backend_service.name
    backend_service = client.get_backend_service(name=backend_service_name)
    if backend_service.connection_draining.draining_timeout_sec == 0:
        backend_service.connection_draining.draining_timeout_sec = 300
        update_mask = {'paths': ['connection_draining']}
        client.update_backend_service(backend_service=backend_service, update_mask=update_mask)
        print(f'Connection draining has been enabled for backend service {backend_service_name}')
By following these steps, you can remediate the misconfiguration of Cloud CDN Regional Backend Services not having connection draining in GCP using Python.

Additional Reading: