Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Logging for HTTP(S) Load Balancers

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudLoadBalancing-004

Ensure that your Google Cloud HTTP(S) load balancers are configured to log all network traffic.

Security

Enabling logging for Google Cloud load balancers in order to view HTTP(S) network traffic to your web applications is vital because it allows you to monitor and analyze the incoming traffic, identify potential security threats or issues, troubleshoot application performance problems, and gain insights for optimizing your web application's performance and security.

Audit

To determine if your HTTP(S) load balancers are configured to log all network traffic, perform the following operations:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to access from the console top navigation bar.

  3. Navigate to Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

  4. Select the LOAD BALANCERS tab and click on the name (link) of the load balancer that you want to examine.

  5. Select the DETAILS tab and examine the backend service associated with the load balancer, listed in the Backend section. Choose ADVANCED CONFIGURATIONS and check the Logging attribute value. If Logging is set to Disabled, the selected Google Cloud HTTP(S) load balancer is not configured to log all network traffic.

  6. Repeat steps no. 4 and 5 for each load balancer available within the selected GCP project.

  7. Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

    gcloud projects list
				--format="table(projectId)"

  2. The command output should return the requested GCP project identifiers (IDs):

    PROJECT_ID
				cc-project5-stack-123123
				cc-bigdata-project-112233

  3. Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name of each load balancer (identified by an URL map) created for the selected project:

    gcloud compute url-maps list
				--project cc-project5-stack-123123
				--format="table(name)"

  4. The command output should return the name(s) of the existing load balancer(s):

    NAME
				cc-project5-web-load-balancer
				cc-project5-int-load-balancer

  5. Run compute url-maps describe command (Windows/macOS/Linux) using the name of the GCP load balancer that you want to examine as the identifier parameter and custom query filters to describe the resource URL of the backend service associated with the selected load balancer:

    gcloud compute url-maps describe cc-project5-web-load-balancer
				--format="value(defaultService)"

  6. The command output should return the requested resource URL:

    https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service

  7. Run compute backend-services describe command (Windows/macOS/Linux) using the URL of the associated backend service that you want to examine as the identifier parameter and custom output filtering to describe the logging configuration status available for the selected backend service:

    gcloud compute backend-services describe https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service
				--format="value(logConfig.enable)"

  8. The command output should return the logging status set for the selected resource (True for enabled, False for disabled):

    False

    If the compute backend-services describe command output returns False, as shown in the example above, the selected Google Cloud HTTP(S) load balancer is not configured to log all network traffic.

  9. Repeat steps no. 5 – 8 for each load balancer created for the selected GCP project.

  10. Repeat steps no. 3 – 9 for each project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Google Cloud HTTP(S) load balancers are configured to log all network traffic, perform the following actions:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to access from the console top navigation bar.

  3. Navigate to Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

  4. Select the LOAD BALANCERS tab, click on the name (link) of the load balancer that you want to configure, and choose EDIT.

  5. Select the Backend configuration tab, choose the backend service that you want to reconfigure, and click on the pencil icon (EDIT), to modify the resource configuration.

  6. For Logging, select the Enable logging checkbox to enable the logging feature and set the appropriate Sample rate. Sample rate specifies the sampling probability that an HTTP(S) access entry gets logged. The sampling probability is a percentage represented as a decimal point, 1.0 means 100%. You can specify a number from 0 to 1.

  7. Choose UPDATE to save the configuration changes.

  8. Repeat steps no. 4 – 7 for each load balancer available within the selected GCP project.

  9. Repeat steps no. 2 – 8 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

  1. Run compute backend-services update command (Windows/macOS/Linux) to attach the new edge security policy to the backend service associated with your Google Cloud load balancer:

    gcloud compute backend-services update https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service
				--enable-logging
				--logging-sample-rate=1.0

  2. The command output should return the URL of the updated backend service:

    Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service].

  3. Repeat steps no. 1 and 2 to enable logging for each HTTP(S) load balancer deployed in the selected GCP project.

  4. Repeat steps no. 1 – 3 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date Jun 29, 2023

Related CloudLoadBalancing rules