Configure load balancers for Managed Instance Groups

Risk Level: Low (generally tolerable risk)

Rule ID: ComputeEngine-013

Ensure that each Managed Instance Group is using a load balancer to act as an instance group frontend. Google Cloud Managed Instance Groups (MIGs) are groups of virtual machine (VM) instances that you control as a single entity. MIGs support rich features such as autoscaling and autohealing, load balancing, multiple zone coverage, and stateful workloads.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Reliability

Cost
optimisation

Performance
efficiency

Operational
excellence

To ensure optimal availability and scalability for your websites and web applications hosted on a Google Cloud instance group, it is strongly recommended to set up a load balancer in front of the instance group. By configuring a load balancer for your Managed Instance Group (MIG), you can leverage its capabilities to evenly distribute traffic among multiple healthy VM instances. This ensures that your websites and applications remain consistently available and responsive to end users, providing an enhanced user experience.

Audit

To determine if your Managed Instance Groups are associated with load balancers, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute/ and choose Instance groups.

04 Click inside the Filter box, select Group type, and choose Managed to list all Managed Instance Groups (MIGs) available for the selected GCP project.

05 Choose the instance group that you want to examine and check the name of the backend service resource listed in the In Use By column. If there is no resource name listed in the In Use By column for the instance group, the selected Google Cloud Managed Instance Group (MIG) is not associated with a load balancer.

06 Repeat steps no. 5 for each Managed Instance Group available within the selected project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute instance-groups list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each Managed Instance Group (MIG) created for the selected project:

gcloud compute instance-groups list
  --project cc-project5-stack-123123
  --only-managed
  --format="table(name)"

04 The command output should return the name(s) of the existing instance group(s):

NAME
cc-dev-instance-group
cc-web-instance-group

05 Run compute backend-services list command (Windows/macOS/Linux) using custom query filters to list the name of each backend service (and the associated instance group) created for the selected GCP project. A backend service is necessary for creating load balancers in Google Cloud. A backend service can contain multiple backends and an instance group is a type of backend:

gcloud compute backend-services list
  --project cc-project5-stack-123123
  --format="table(name,backends[0].group)"

06 The command output should return the requested configuration information:

NAME: cc-web-backend-service
GROUP: https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/zones/us-central1-a/instanceGroups/dev-instance-group

NAME: cc-net-backend-service
GROUP: https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/zones/us-central1-a/instanceGroups/dev-instance-group

NAME: cc-main-backend-service
GROUP: https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/zones/us-central1-a/instanceGroups/dev-instance-group

Compare the list of instance groups associated with backend services, returned by the compute backend-services list command output, with the Managed Instance Group names returned at step no. 4. If a Managed Instance Group (MIG) is not associated with a backend service, the MIG is not using a load balancer as an instance group frontend.

07 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To create and configure load balancers for Managed Instance Groups (MIGs), perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select the LOAD BALANCERS tab, and choose CREATE LOAD BALANCER.

05 Choose START CONFIGURATION under HTTP(S) Load Balancing to create an HTTP(S) load balancer.

06 Choose whether to create a global, regional, or classic internet facing load balancer and select CONTINUE.

07 Based on the type of the load balancer that you want to create, follow the GCP console setup wizard to configure the required settings for your new load balancer.

08 For Backend configuration, choose CREATE A BACKEND SERVICE, and follow the setup wizard to configure your new backend service. For Backends, under New backend, select the Managed Instance Group (MIG) that you want to associate with the new load balancer from the Instance group dropdown list, choose the appropriate port number and the right balancing mode, and select DONE to save the configuration changes. Choose CREATE to create the required backend service.

09 Select the new backend service and choose OK to add the resource to your load balancer configuration.

10 Choose Review and finalize (optional) to review the load balancer configuration, then select CREATE to create your new GCP load balancer.

11 Repeat steps no. 4 – 10 to create and configure a load balancer for each Managed Instance Group deployed for the selected project.

12 Repeat steps no. 2 – 11 for each GCP project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

Note: As an example, this section outlines the steps required to create an internet-facing, external HTTP load balancer for a Managed Instance Group (MIG).

01 Run compute health-checks create command (Windows/macOS/Linux) to create the health check configuration required to determine whether backend instances respond properly to traffic:

gcloud compute health-checks create http cc-http-health-check
  --port 80

02 The command output should return the URL of the new health check configuration:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/healthChecks/cc-http-health-check].
NAME: http-health-check
PROTOCOL: HTTP

03 Run compute backend-services create command (Windows/macOS/Linux) to create the backend service that defines how the load balancer distributes HTTP traffic:

gcloud compute backend-services create cc-web-backend-service
  --load-balancing-scheme=EXTERNAL
  --protocol=HTTP
  --port-name=http
  --health-checks=cc-http-health-check
  --global

04 The command output should return the URL of the new backend service:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-web-backend-service].
NAME: cc-web-backend-service
BACKENDS:
PROTOCOL: HTTP

05 Run compute backend-services add-backend command (Windows/macOS/Linux) to add your Managed Instance Group as the backend to the new backend service:

gcloud compute backend-services add-backend cc-web-backend-service
  --instance-group=cc-web-instance-group
  --instance-group-zone=us-central1-a
  --global

06 The command output should return the URL of the modified backend service:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-web-backend-service].

07 Run compute url-maps create command (Windows/macOS/Linux) to create a URL map to route the incoming requests to the default backend service:

gcloud compute url-maps create cc-web-map-http
  --default-service cc-web-backend-service

08 The command output should return the identification information available for the new URL map:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/urlMaps/cc-web-map-http].
NAME: cc-web-map-http
DEFAULT_SERVICE: backendServices/cc-web-backend-service

09 Run compute target-http-proxies create command (Windows/macOS/Linux) to create the target HTTP proxy that will route requests to your new URL map:

gcloud gcloud compute target-http-proxies create cc-http-lb-proxy
  --url-map=cc-web-map-http

10 The command output should return the URL of the new HTTP proxy:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpProxies/cc-http-lb-proxy].
NAME: cc-http-lb-proxy
URL_MAP: cc-web-map-http

11 Run compute forwarding-rules create command (Windows/macOS/Linux) to create a global forwarding rule to route incoming requests to the new HTTP proxy:

gcloud compute forwarding-rules create cc-http-content-rule
  --load-balancing-scheme=EXTERNAL
  --address=lb-ipv4-1
  --global
  --target-http-proxy=cc-http-lb-proxy
  --ports=80

12 The command output should return the URL of the new global forwarding rule:

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/forwardingRules/cc-http-content-rule].
NAME: cc-http-content-rule
URL_MAP: cc-http-lb-proxy

13 Repeat steps no. 1 – 12 to create and configure a load balancer for each Managed Instance Group provisioned for the selected project.

14 Repeat steps no. 1 – 13 for each GCP project deployed in your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
Cloud Load Balancing overview
Using load balancing for highly available applications
Adding an instance group to a load balancer
Setting up an external HTTP(S) load balancer

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute backend-services list
gcloud compute health-checks create http
gcloud compute backend-services create
gcloud compute backend-services add-backend
gcloud compute url-maps create
gcloud compute target-http-proxies create
gcloud compute forwarding-rules create

Publication date May 26, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Configure load balancers for Managed Instance Groups

Risk Level: Low

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related ComputeEngine rules