Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure multiple zones for Managed Instance Groups

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable risk)

Ensure that Managed Instance Groups (MIGs) are spread across multiple zones within a Google Cloud region for high availability and fault tolerance.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Spreading application load across multiple Google Cloud zones with Managed Instance Groups (MIGs) is crucial for enhancing the availability, resilience, and performance of your application. When you allocate your MIG instances across multiple zones, you can guarantee the continuous availability and functionality of your application even during failures or outages. Additionally, this practice enables performance optimization and facilitates the implementation of a disaster recovery strategy.

Audit

To determine if your Managed Instance Groups (MIGs) are configured to run instances across multiple zones, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute and choose Instance groups.

04 Click inside the Filter box, select Group type, and choose Managed to list all Managed Instance Groups (MIGs) available for the selected GCP project.

05 Click on the name (link) of the instance group that you want to examine.

06 Select the DETAILS tab and check the number of zones listed under Location. If Location lists just one zone (e.g. us-central1-a), the selected Google Cloud Managed Instance Group (MIG) is not configured to run instances across multiple zones.

07 Repeat steps no. 5 and 6 for each Managed Instance Group available within the selected project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute instance-groups list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each Managed Instance Group (MIG) created for the selected project: 

gcloud compute instance-groups list
  --project cc-project5-stack-123123
  --only-managed
  --format="table(name)"

04 The command output should return the name(s) of the existing instance group(s): 

cc-web-instance-group
cc-dev-instance-group

05 Run compute instance-groups managed describe command (Windows/macOS/Linux) using custom query filters to list the name of each zone included in the distribution policy configured for the selected instance group: 

gcloud compute instance-groups managed describe cc-web-instance-group
  --format="json(distributionPolicy.zones)"

06 The command output should return the requested zone names (full names/URLs): 

null

If the compute instance-groups managed describe command output returns null, as shown in the example above, there is no distribution policy configured for the instance group, therefore the selected Managed Instance Group (MIG) is not configured to run instances across multiple zones.

07 Repeat steps no. 5 and 6 for each Managed Instance Group available in the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Managed Instance Groups (MIGs) are spread across multiple zones in a region, you must re-create your MIGs with the appropriate location configuration. To provision a new Managed Instance Group, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Compute Engine console available at https://console.cloud.google.com/compute and choose Instance groups.

04 Choose CREATE INSTANCE GROUPS, select New managed instance group (stateless) or New managed instance group (stateful), and follow the GCP console setup wizard to configure the required settings for the new Managed Instance Group.

05 For Location, select Multiple zones, choose a region and select the zones you want to use for the instance group, then choose Even for Target distribution shape to distribute managed instances evenly across the selected zones. Also, ensure that the Allow instance redistribution checkbox is selected for proactive instance redistribution.

06 Depending on your instance group type (stateless or stateful), once all the required settings are configured, choose CREATE to provision your new, multi-zone Google Cloud Managed Instance Group (MIG).

07 Repeat steps no. 4 – 6 for each Managed Instance Group that you want to spread across multiple zones in a region, deployed for the selected project.

08 Repeat steps no. 2 – 7 for each GCP project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run compute instance-groups managed create command (Windows/macOS/Linux) to create a new, multi-zone Google Cloud Managed Instance Group (MIG). Use the --zones command parameter to specify the zones for instances distribution: 

gcloud compute instance-groups managed create cc-web-instance-group
  --template cc-web-instance-template
  --size 3
  --target-distribution-shape even
  --instance-redistribution-type proactive
  --zones us-central1-a,us-central1-b,us-central1-c

02 The command output should return the configuration information for the new instance group: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/regions/us-central1/instanceGroupManagers/cc-web-instance-group].
NAME: cc-web-instance-group
LOCATION: us-central1
SCOPE: region
BASE_INSTANCE_NAME: cc-web-instance-group
SIZE: 3
TARGET_SIZE: 3
INSTANCE_TEMPLATE: cc-web-instance-template

03 Repeat steps no. 1 and 2 for each Managed Instance Group that you want to spread across multiple zones in a region, deployed for the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud Platform (GCP) account.

References

Publication date May 26, 2023

Related ComputeEngine rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Configure multiple zones for Managed Instance Groups

Risk Level: Low