Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Approved External Load Balancers

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudLoadBalancing-006

Ensure that your web applications are using only approved external load balancers to comply with your organization's security and industry requirements. Using unapproved load balancers could expose your applications to vulnerabilities. The approved load balancers must be defined in the rule settings, in the TrendAI Vision One™ Cloud Risk Management account console.

Security

Using approved external load balancers for web applications ensures security, reliability, and compatibility with the organization's infrastructure and policies, reducing the risk of vulnerabilities and ensuring optimal performance.

Audit

To determine if your web applications are using approved external load balancers only, perform the following operations:

Using GCP Console

  1. Sign in to your TrendAI Vision One™ Cloud Risk Management account, access Approved External Load Balancers rule settings and identify the list of approved load balancers defined for your Google Cloud projects.

  2. Sign in to the Google Cloud Management Console.

  3. Select the GCP project that you want to access from the console top navigation bar.

  4. Navigate to Network services console available at https://console.cloud.google.com/net-services/.

  5. In the navigation panel, choose Load balancing, and select the LOAD BALANCERS tab.

  6. Click inside the Filter box, choose Access type, and select External to list the external load balancers created for the selected project.

  7. Compare the load balancers list returned at the previous step with the organization-approved list identified at step no. 1. If one or more load balancers are not found in the organization-approved list, the selected GCP project contains unapproved external load balancers.

  8. Repeat steps no. 3 – 7 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. Sign in to your TrendAI Vision One™ Cloud Risk Management account, access Approved External Load Balancers rule settings and identify the list of approved load balancers defined for your Google Cloud projects.

  2. Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

    cloud projects list 
  --format="table(projectId)"

  3. The command output should return the requested GCP project identifiers (IDs):

    PROJECT_ID 
cc-project5-stack-123123
cc-bigdata-project-112233

  4. Run compute url-maps list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each load balancer (identified by an URL map) created for the selected project:

    gcloud compute url-maps list
  --project cc-project5-stack-123123
  --format="table(name)"

  5. The command output should return the name(s) of the existing load balancer(s):

    NAME
cc-project5-web-load-balancer
cc-project5-cba-load-balancer

  6. Run compute target-http-proxies list command (Windows/macOS/Linux) to describe the name of each target HTTP proxy and the associated load balancer (identified by the URL map), available for the selected project:

    gcloud compute target-http-proxies list 
  --project cc-project5-stack-123123
  --format="table(name,urlMap)"

  7. The command output should return the requested identification information:

    NAME:    cc-project5-web-load-balancer-target-proxy
URL_MAP: cc-project5-web-load-balancer

NAME:    cc-project5-cba-load-balancer-target-proxy
URL_MAP: cc-project5-cba-load-balancer

  8. Run compute forwarding-rules list command (Windows/macOS/Linux) with custom query filters to describe the Compute Engine forwarding rules available within the selected project:

    gcloud compute forwarding-rules list 
  --project cc-project5-stack-123123
  --format="table(name,loadBalancingScheme,target)

  9. The command output should return the requested information. If the LOAD_BALANCING_SCHEME attribute value for the target proxy associated with your load balancer is set to EXTERNAL_MANAGED, as shown in the example below, the selected load balancer is external:

    NAME: cc-project5-web-load-balancer-forwarding-rule
LOAD_BALANCING_SCHEME: EXTERNAL_MANAGED
TARGET: https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpProxies/cc-project5-web-load-balancer-target-proxy

    After you have identified the external load balancers, compare the load balancers list returned at step no. 5 with the organization-approved list identified at step no. 1. If one or more load balancers are not found in the organization-approved list, the selected GCP project contains unapproved external load balancers.

  10. Repeat steps no. 4 – 9 for each project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To remove the unapproved external load balancers from your GCP projects, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to access from the console top navigation bar.

  3. Navigate to Network services console available at https://console.cloud.google.com/net-services/.

  4. In the navigation panel, choose Load balancing, and select the LOAD BALANCERS tab.

  5. Click inside the Filter box, choose Access type, and select External to list the external load balancers created for the selected project.

  6. Select the unapproved load balancer that you want to remove and choose DELETE from the top menu.

  7. In the Delete load balancer confirmation box, choose whether to remove the backend service/bucket as well, and select DELETE LOAD BALANCER/DELETE LOAD BALANCER AND THE SELECTED RESOURCES to remove the unapproved resource(s).

  8. Repeat steps no. 6 and 7 for each unapproved external load balancer available within the selected GCP project.

  9. Repeat steps no. 2 – 8 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. To delete an external load balancer, you have to remove first the associated resources, including forwarding rules. Run compute forwarding-rules delete command (Windows/macOS/Linux) to remove the forwarding rules configured for your unapproved load balancer:

    gcloud compute forwarding-rules delete cc-project5-web-load-balancer-forwarding-rule 
  --project cc-project5-stack-123123 
  --global

  2. Type Y and press Enter at the command prompt to confirm the resource removal:

    The following global forwarding rules will be deleted:
- [cc-project5-web-load-balancer-forwarding-rule]

Do you want to continue (Y/n)? Y

  3. The command output should return the URL of the deleted resource:

    Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/forwardingRules/cc-project5-web-load-balancer-forwarding-rule].

  4. Run compute target-http-proxies delete command (Windows/macOS/Linux) to delete the target proxy associated with your unapproved load balancer:

    gcloud compute target-http-proxies delete cc-project5-web-load-balancer-target-proxy 
  --project cc-project5-stack-123123

  5. Type Y and press Enter at the command prompt to confirm the resource removal:

    The following target http proxies will be deleted:
- [cc-project5-web-load-balancer-target-proxy]

Do you want to continue (Y/n)? Y

  6. The command output should return the URL of the deleted resource:

    Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpProxies/cc-project5-web-load-balancer-target-proxy].

  7. Run compute url-maps delete command (Windows/macOS/Linux) to remove the unapproved external load balancer from your GCP project:

    gcloud compute url-maps delete cc-project5-web-load-balancer 
  --project cc-project5-stack-123123

  8. Type Y and press Enter at the command prompt to confirm the resource removal:

    The following url maps will be deleted:
- [cc-project5-web-load-balancer]

Do you want to continue (Y/n)? Y

  9. The command output should return the URL of the deleted resource:

    Deleted [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/urlMaps/cc-project5-web-load-balancer].

  10. Repeat steps no. 1 - 9 for each unapproved external load balancer available in the selected GCP project.

  11. Repeat steps no. 1 – 10 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date May 1, 2024

Related CloudLoadBalancing rules