Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Cloud Run Request Concurrency

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the value configured for the maximum concurrent requests per instance is optimal in order to improve application responsiveness and scalability during traffic spikes, and enhance user experience. Maximum concurrent requests per instance refer to the maximum number of incoming HTTP requests that can be processed simultaneously by a single container instance running on Google Cloud Run. The maximum concurrent requests per instance value (concurrency threshold) must be defined in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console.

Reliability

Configuring a higher concurrent requests per instance for Google Cloud Run services allows your application to handle more simultaneous user interactions, improving responsiveness and user experience. It can optimize resource utilization, reducing latency during traffic spikes, and ensure better scalability for applications with varying workloads.

Audit

To determine the maximum concurrent requests per instance configured for Cloud Run services, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Click on the name (link) of the Cloud Run managed service that you want to examine.

05 Select the REVISIONS tab to access the service revisions. A revision is created when you deploy to a Cloud Run service or change the configuration of a service. Each revision created is immutable.

06 Select the latest service revision listed in the Revisions list. The latest (current) revision of the selected service is the one with the traffic set to 100%.

07 Select the CONTAINERS tab and check the Concurrency attribute value, listed in the General section to determine the maximum concurrent requests per instance configured for the selected service. If the Concurrency value is lower than the threshold value configured in your Trend Micro Cloud One™ – Conformity account settings, the request concurrency value configured for the selected Cloud Run service is not compliant.

08 Repeat step no. 4 – 7 for each Cloud Run managed service created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each Google Cloud Platform (GCP) project available in your cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
  cc-web-stack-project-123123
  cc-app-stack-project-112233

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and region of each Cloud Run managed service created for the selected project: 

gcloud run services list
  --project cc-web-stack-project-123123
  --platform=managed
  --format="table(name,region)"

04 The command output should return the requested resource identification information: 

NAME                      REGION
cc-project5-web-service   us-central1
cc-analytics-app-service  us-central1

05 Run services describe command (Windows/macOS/Linux) using the name and the region of the Cloud Run service that you want to examine as identifier parameters, to describe the latest (current) revision of the selected service. An immutable revision is created when you deploy to a Cloud Run service or change the configuration of a service: 

gcloud run services describe cc-project5-web-service
  --platform=managed
  --region us-central1

06 The command output should return the details of the latest Cloud Run service revision: 

Service cc-project5-web-service in region us-central1

	URL:     https://cc-project5-web-service-abcd1234abcd-uc.a.run.app
	Ingress: all
	Traffic:
	100% LATEST (currently cc-project5-web-service-00001-mml)

	Revision cc-project5-web-service-00001-mml
	Container None
		Image:           us-docker.pkg.dev/cloudrun/container/project5
		Port:            8080
		Memory:          256Mi
		CPU:             1000m
		Startup Probe:
			TCP every 240s
			Port:          8080
			Initial delay: 0s
			Timeout:       240s
			Failure threshold: 1
			Type:          Default
	Service account:   123456789012-compute@developer.gserviceaccount.com
	Concurrency:       1
	Max Instances:     3
	Timeout:           300s

Check the Concurrency attribute value returned by the services describe command output to determine the maximum concurrent requests per instance configured for the selected service. If the Concurrency value is lower than the threshold value configured in your Trend Micro Cloud One™ – Conformity account settings, the request concurrency value configured for the selected Cloud Run service is not compliant.

07 Repeat step no. 5 and 6 for each Cloud Run service available within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To configure the maximum concurrent requests per instance for your Cloud Run managed service, you have to create a new service revision with the appropriate configuration. To deploy a new revision for your Cloud Run service, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Any configuration change made to a Cloud Run service leads to the deployment of a new revision. Subsequent revisions will also automatically get the configuration setting unless you make explicit updates to change it. Click on the name (link) of the Cloud Run managed service that you want to configure and choose EDIT & DEPLOY NEW REVISION to create a new revision for the selected service.

05 On the new revision deployment page, in the Capacity section, configure the number available in the Maximum concurrent requests per instance configuration box in order to match the concurrency threshold defined in the Trend Micro Cloud One™ – Conformity account settings. To send all traffic to the new service revision, select the Serve this revision immediately checkbox. Choose DEPLOY to create a new revision for the selected Cloud Run managed service.

06 Repeat steps no. 4 and 5 for each Cloud Run service that you want to configure, created for the selected project.

07 Repeat steps no. 2 – 6 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run services update command (Windows/macOS/Linux) using the name and the region of the Cloud Run managed service that you want to configure as the identifier parameters, to set the maximum number of concurrent requests allowed per container instance, for the selected service. The --concurrency parameter value must match the concurrency threshold defined in the Trend Micro Cloud One™ – Conformity account settings. Any configuration change made to a Cloud Run service leads to the deployment of a new revision. Subsequent revisions will also automatically get the configuration setting unless you make explicit updates to change it: 

gcloud beta run services update cc-project5-web-service
  --platform=managed
  --region us-central1
  --concurrency=25

02 The command output should return the information available for the newly created Cloud Run service revision: 

✓ OK Deploying... Done.
✓ OK Creating Revision...Done.
✓ OK Routing traffic...Done.

Service [cc-project5-web-service] revision [cc-project5-web-service-00002-bca] has been deployed and is serving 100 percent of traffic.
Service URL: https://cc-project5-web-service-1234abcd1234-uc.a.run.app

03 Repeat steps no. 1 and 2 for each Cloud Run service that you want to configure, deployed in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project created within your Google Cloud account.

References

Publication date Oct 24, 2023

Related CloudRun rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Cloud Run Request Concurrency

Risk Level: Medium