Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Configure SSL/TLS certificates for Cloud CDN backend service origins

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudCDN-003

Ensure that Google Cloud CDN backend service origins are using SSL/TLS certificates to enforce HTTPS in order to manage encrypted traffic. This helps you to protects the integrity and confidentiality of the transmitted information.

Security
Operational
excellence

Ensure that Google Cloud CDN backend service origins are using SSL/TLS certificates to enforce HTTPS in order to manage encrypted traffic. This helps you to protects the integrity and confidentiality of the transmitted information.

Audit

To determine if your Cloud CDN backend service origins are using SSL/TLS certificates, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to examine from the console top navigation bar.

  3. Navigate to the Cloud CDN console available at https://console.cloud.google.com/net-services/cdn/.

  4. Click on the name (link) of the Cloud CDN origin that you want to examine.

  5. Select the DETAILS tab and check the Origin type attribute value listed under Origin configuration. If the Origin type is set to Backend service origin, the origin is a backend service resource and the Audit process continues with the next step. Otherwise, the Audit process stops here.

  6. Note the name of the associated load balancer, listed under Host and path rules.

  7. Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

  8. Choose the load balancer associated with your backend service resource and check the name of the protocol(s) listed in the Protocols column. If the HTTPS protocol is not listed in the Protocols column, the associated Cloud CDN backend service origin does not enforce HTTPS using SSL/TLS certificates.

  9. Repeat steps no. 4 – 8 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

    gcloud projects list
  --format="table(projectId)"

  2. The command output should return the requested GCP project identifier(s):

    PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

  3. Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to list the name of each load balancer (and the associated CDN origin) provisioned for the selected project:

    gcloud compute url-maps list
  --project cc-web-app-project-112233
  --format="table(name,defaultService)"

  4. The command output should return the requested information. If DEFAULT_SERVICE is set to backendServices/[resource-name], the load balancer listed by the compute url-maps list command output is associated with a backend service resource and the Audit process continues with the next step. Otherwise, the Audit process stops here:

    NAME: cc-frontend-load-balancer
DEFAULT_SERVICE: backendServices/cc-cdn-backend-service-origin

  5. Run compute forwarding-rules list command (Windows/macOS/Linux) to list all the Google Compute Engine forwarding rules within the selected GCP project in order to identify the forwarding rules used by your load balancer:

    gcloud compute forwarding-rules list
  --project cc-web-app-project-112233

  6. The command output should return the requested configuration information:

    NAME: cc-frontend-load-balancer-forwarding-rule
REGION:
IP_ADDRESS: 10.0.30.15
IP_PROTOCOL: TCP
TARGET: cc-frontend-load-balancer-target-proxy

  7. Run compute forwarding-rules describe command (Windows/macOS/Linux) to describe the port range configured for the forwarding rule used by your load balancer in order to determine if the resource allows traffic via port 443 (HTTPS):

    gcloud compute forwarding-rules describe cc-frontend-load-balancer-forwarding-rule
  --global
  --format="value(portRange)"

  8. The command output should return the requested configuration information:

    80-80

    If the compute forwarding-rules describe command output returns 80-80, as shown in the output example above, the resource allows traffic via port 80 (HTTP), therefore the associated Cloud CDN backend service origin does not enforce HTTPS using SSL/TLS certificates.

  9. Repeat steps no. 3 – 8 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Cloud CDN backend service origins enforce HTTPS using SSL/TLS certificates, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to examine from the console top navigation bar.

  3. Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

  4. Click on the name (link) of the load balancer associated with your backend service resource and choose EDIT.

  5. Choose Frontend configuration, choose ADD FRONTEND IP AND PORT, and perform the following operations:

    1. For Name, provide a name for your new frontend configuration.
    2. For Protocol, select HTTPS (including HTTP/2).
    3. Click inside the Certificate box and choose CREATE NEW CERTIFICATE. Enter the certificate name and choose whether to upload your own certificate information (i.e. public key certificate and private key) or provision a new, Google-managed certificate with the Certificate Manager service. If you choose to request a Google-managed certificate, provide the domain for the new certificate. Choose CREATE to provision your new SSL/TLS certificate.
    4. Select the newly created certificate and choose OK.
    5. Choose DONE to save the changes.

  6. Remove any HTTP configurations listed in the Frontend configuration section, and choose UPDATE to apply the configuration changes.

  7. Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. To create a global SSL/TLS certificate resource for the load balancer associated with your Cloud CDN backend bucket origin, run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter. Replace [certificate-file] and [private-key-file] with your own self-managed certificate files:

    gcloud compute ssl-certificates create cc-service-origin-certificate
				--global
				--certificate=
				--private-key=

  2. The command output should return the URL of the new certificate resource:

    Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/sslCertificates/cc-service-origin-certificate].

  3. Run compute target-https-proxies create command (Windows/macOS/Linux) using the name of the load balancer that you want to reconfigure as the identifier parameter and the name of the newly created SSL/TLS certificate resource as command parameter, to create a target HTTPS proxy that routes requests to the selected load balancer (identified by the URL map). The HTTPS proxy is the component of the load balancer that holds your certificate for secure load balancing:

    gcloud compute target-https-proxies create cc-frontend-load-balancer-target-proxy
				--url-map cc-frontend-load-balancer
				--ssl-certificates cc-service-origin-certificate

  4. The command output should return the URL of the newly created HTTPS proxy:

    Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/targetHttpsProxies/cc-frontend-load-balancer-target-proxy].

  5. Run compute forwarding-rules create command (Windows/macOS/Linux) to create a global forwarding rule that routes incoming requests to the target HTTPS proxy created at the previous steps in order to enable HTTPS for the associated load balancer. Replace [ipv4-address] with the static IPv4 address configured for the selected load balancer:

    gcloud compute forwarding-rules create cc-lb-https-frontend-config
				--global
				--address=[ipv4-address]
				--target-https-proxy=cc-frontend-load-balancer-target-proxy
				--ports=443

  6. The command output should return the URL of the new load balancer forwarding rule:

    Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/forwardingRules/cc-lb-https-frontend-config].

  7. Repeat steps no. 1 – 6 for each GCP project created within your Google Cloud Platform (GCP) account.


References

Publication date May 24, 2023

Related CloudCDN rules