More Info:

Load Balancer should not send any new requests to the unhealthy instance if an compute instance fails health checks

Risk Level

Medium

Address

Reliability, Security

Compliance Standards

NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Regional Backend Services” for GCP using GCP console, please follow the below steps:
  1. Go to the GCP console and navigate to the Load Balancing page.
  2. Select the load balancer that you want to remediate.
  3. Click on the Edit button to open the edit screen.
  4. In the edit screen, scroll down to the Backend Services section.
  5. Click on the edit button next to the backend service that you want to remediate.
  6. In the backend service edit screen, scroll down to the Connection Draining section.
  7. Enable the Connection Draining option.
  8. Set the Drain Timeout to the desired value. The recommended value is 60 seconds.
  9. Click on the Save button to save the changes.
  10. Repeat the above steps for all the backend services associated with the load balancer.
  11. Once all the backend services have connection draining enabled, click on the Update button to apply the changes to the load balancer.
By following the above steps, you can remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Regional Backend Services” for GCP using GCP console.

To remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Regional Backend Services” for GCP using GCP CLI, follow the below steps:
  1. Open the GCP CLI terminal and authenticate with your GCP account.
  2. Run the following command to enable connection draining for the regional backend service: 
    gcloud compute backend-services update [BACKEND_SERVICE_NAME] --connection-draining-timeout [TIMEOUT_IN_SECONDS] --global
    Replace [BACKEND_SERVICE_NAME] with the name of the backend service that is associated with the load balancer and [TIMEOUT_IN_SECONDS] with the time in seconds for which you want to enable connection draining. For example, if the name of the backend service is “backend-service-1” and you want to enable connection draining for 300 seconds, the command will look like: 
    gcloud compute backend-services update backend-service-1 --connection-draining-timeout 300 --global
  3. Once you run the command, it will update the backend service and enable connection draining for the regional backend service associated with the load balancer.
  4. Verify the changes by running the following command: 
    gcloud compute backend-services describe [BACKEND_SERVICE_NAME]
    This command will describe the backend service and display the connection draining timeout value. For example, if you want to verify the changes for “backend-service-1”, the command will look like: 
    gcloud compute backend-services describe backend-service-1
  5. Once the changes are verified, you have successfully remediated the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Regional Backend Services” for GCP using GCP CLI.
To remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Regional Backend Services” for GCP using Python, you can follow the below steps:
  1. Install the necessary Python libraries: 
    pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-compute
  2. Authenticate with GCP using the below command: 
    gcloud auth application-default login
  3. Write a Python script to enable connection draining for the load balancers in regional backend services. You can use the below code snippet as a reference: 
    from google.oauth2 import service_account
from google.cloud import compute_v1

# Set the project ID and the credentials file path
project_id = 'your_project_id'
credentials_path = 'path/to/your/credentials.json'

# Authenticate with GCP using the credentials file
credentials = service_account.Credentials.from_service_account_file(credentials_path)

# Initialize the Compute Engine client
compute_client = compute_v1.ComputeClient(credentials=credentials)

# Get the list of regional backend services
backend_services = compute_client.backend_services().list(project=project_id, filter='loadBalancingScheme=EXTERNAL').execute()

# Loop through the backend services and enable connection draining for the load balancers
for backend_service in backend_services['items']:
    backend_service_name = backend_service['name']
    backend_service_region = backend_service['region'].split('/')[-1]
    backend_service_url = f'/compute/v1/projects/{project_id}/regions/{backend_service_region}/backendServices/{backend_service_name}'
    backend_service_data = compute_client.backend_services().get(project=project_id, backendService=backend_service_name).execute()
    health_check_data = compute_client.health_checks().get(project=project_id, healthCheck=backend_service_data['healthChecks'][0].split('/')[-1]).execute()
    connection_draining_data = {
        "drainingTimeoutSec": 300,
        "enabled": True,
        "timeoutSec": health_check_data['timeoutSec']
    }
    request = compute_client.backend_services().patch(project=project_id, backendService=backend_service_name, body=backend_service_data).execute()
    print(f"Connection draining enabled for the backend service {backend_service_name}")
  4. Replace the your_project_id and path/to/your/credentials.json placeholders with your actual project ID and the path to your GCP credentials file.
  5. Run the Python script using the below command: 
    python enable_connection_draining.py
This will enable connection draining for the load balancers in regional backend services for your GCP project.

Additional Reading: