Load Balancers Should Have Connection Draining Enabled In Global Backend Services

​

More Info:

Load Balancer should not send any new requests to the unhealthy instance if an compute instance fails health checks

​

Risk Level

Medium

​

Address

Reliability, Security

​

Compliance Standards

NISTCSF

​

Remediation

​

Using Console

To remediate the misconfiguration of Load Balancers not having connection draining enabled in Global Backend Services in GCP using GCP console, follow the below steps:

1. Login to the GCP console and navigate to the Load Balancing page.

2. Select the Load Balancer that needs to be remediated.

3. Click on the Edit button to edit the Load Balancer configuration.

4. Scroll down to the Backend section and click on the Edit button next to the Global Backend Service.

5. In the Global Backend Service configuration, scroll down to the Connection Draining section.

6. Enable Connection Draining by checking the box next to it.

7. Set the Drain Timeout to the desired value (in seconds) for the load balancer to wait before terminating connections.

8. Click on the Save button to save the changes.

9. Once the changes are saved, verify that the Load Balancer now has Connection Draining enabled for Global Backend Services.

By following these steps, you can remediate the misconfiguration of Load Balancers not having connection draining enabled in Global Backend Services in GCP using GCP console.

​

Using CLI

To remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Global Backend Services” for GCP using GCP CLI, follow the below steps:

1. Open the Cloud Shell in the GCP Console.

2. Run the following command to list all the global backend services in your project:

   gcloud compute backend-services list --global
   

3. Identify the backend service that is associated with the load balancer that needs to be updated. Note down the name of the backend service.

4. Run the following command to enable connection draining for the identified backend service:

   gcloud compute backend-services update [BACKEND_SERVICE_NAME] --connection-draining-timeout [TIMEOUT_IN_SECONDS] --global
   

   Replace [BACKEND_SERVICE_NAME] with the name of the backend service identified in step 3 and [TIMEOUT_IN_SECONDS] with the time in seconds that you want to wait for existing connections to drain before terminating them. For example:

   gcloud compute backend-services update my-backend-service --connection-draining-timeout 300 --global
   

   This command sets the connection draining timeout to 300 seconds (5 minutes).

5. Verify that connection draining is enabled for the backend service by running the following command:

   gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --global | grep "connectionDraining"
   

   Replace [BACKEND_SERVICE_NAME] with the name of the backend service identified in step 3. The output should show “connectionDraining: true”.

With these steps, you have successfully remediated the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Global Backend Services” for GCP using GCP CLI.

​

Using Python

To remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Global Backend Services” for GCP using python, follow these steps:

1. Install the google-cloud-load-balancer library using pip by running the following command:

   pip install google-cloud-load-balancer
   

2. Import the necessary modules in your python script:

   from google.cloud import load_balancer_v1
   from google.protobuf import field_mask_pb2
   

3. Create a client object for the load balancer API:

   client = load_balancer_v1.LoadBalancerClient()
   

4. Get the existing global backend services:

   project_id = 'your-project-id'
   location = 'your-location'
   parent = f"projects/{project_id}/locations/{location}"
   backend_services = client.list_backend_services(request={"parent": parent})
   

5. Loop through the backend services and check if connection draining is enabled. If not, enable it:

   for backend_service in backend_services:
       if backend_service.connection_draining.draining_timeout_sec == 0:
           update_mask = field_mask_pb2.FieldMask(paths=["connection_draining.draining_timeout_sec"])
           backend_service.connection_draining.draining_timeout_sec = 300
           update_request = {
               "backend_service": backend_service,
               "update_mask": update_mask
           }
           client.update_backend_service(request=update_request)
   

   In the above code, we are checking if the draining_timeout_sec parameter in the connection_draining field is set to 0. If it is, we create an update request to set it to 300 seconds (5 minutes).

6. Run the python script to remediate the misconfiguration.

   python remediate_load_balancer_connection_draining.py
   

   Note: Replace remediate_load_balancer_connection_draining.py with the name of your python script.

By following the above steps, you should be able to remediate the misconfiguration “Load Balancers Should Have Connection Draining Enabled In Global Backend Services” for GCP using python.

​

Additional Reading:

• https://cloud.google.com/load-balancing/docs/enabling-connection-draining