Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Cloud CDN origin backend bucket

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Cloud CDN origin associated with your Google Cloud load balancer points to a backend bucket instead of backend service in order to provide enhanced performance, cost savings, simplified management, and the ability to customize caching rules.

Security
Reliability
Operational
excellence

In Google Cloud, you have the flexibility to select the appropriate backend resource for the Cloud CDN origin, as global external load balancers support backend buckets, backend services, and external backends that exist outside of Google Cloud Platform (GCP). Using a bucket as the backend origin for Cloud CDN provides simplified management, scalability, and customizable caching rules. It seamlessly integrates with Google Cloud Storage, enabling efficient content management and leveraging global infrastructure for optimal performance and delivery. The advantage of using storage buckets for Cloud CDN backend origins contribute to an improved user experience and reduced operational overhead when serving content over the Internet.

Audit

To determine if your Cloud CDN origin points to a backend bucket, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to the Cloud CDN console available at https://console.cloud.google.com/net-services/cdn.

04 Click on the name (link) of the Cloud CDN origin associated with the load balancer that you want to examine. The name of the associated load balancer is listed in the Associated load balancers column.

05 Select the DETAILS tab and check the Origin type attribute value listed under Origin configuration. If the Origin type is set to Backend service origin, the selected Google Cloud CDN origin is using a backend service instead of a backend bucket as the backend origin resource.

06 Repeat steps no. 4 and 5 for each Cloud CDN origin created for the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s): 

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom filters to list the name of each load balancer provisioned for the selected project, and the type and name of the Cloud CDN origin associated with the load balancer: 

gcloud compute url-maps list
  --project cc-web-app-project-112233
  --format="table(name,defaultService)"

04 The command output should return the requested information: 

NAME: cc-external-load-balancer
DEFAULT_SERVICE: backendServices/cc-net-backend-service-origin

NAME: cc-frontend-load-balancer
DEFAULT_SERVICE: backendServices/cc-web-backend-service-origin

NAME: cc-project5-load-balancer
DEFAULT_SERVICE: backendServices/cc-main-backend-service-origin

If the DEFAULT_SERVICE attribute is set to backendServices/[backend-resource-name], the load balancer listed by the compute url-maps list command output is configured with a backend service, therefore the associated Google Cloud CDN origin is using a backend service instead of a backend bucket as the backend origin resource.

05 Repeat steps no. 3 and 4 for each Cloud CDN origin provisioned for the selected GCP project.

06 Repeat steps no. 3 – 5 for each project created within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that your Cloud CDN backend service origins enforce HTTPS using SSL/TLS certificates, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

04 Click on the name (link) of the load balancer that you want to configure and choose EDIT.

05 Choose Backend configuration, click inside the Backend services & backend bucket field, choose CREATE A BACKEND BUCKET, and perform the following operations:

  1. For Backend bucket name, choose Browse and select the storage bucket that you want to use as the backend for your load balancer with Cloud CDN.
  2. Select the Enable Cloud CDN checkbox under Cloud CDN and configure the Cloud CDN origin cache settings based on your application requirements.
  3. (Optional) Select an edge security policy for your new Cloud CDN origin from the Cloud Armor Edge security policies. Edge security policies let you control access to your CDN resources at the network’s edge.
  4. (Optional) Choose Advanced configurations and configure any advanced settings available for your origin.
  5. Choose CREATE to provision your new Cloud CDN backend bucket origin.
  6. Select the new backend bucket origin and choose OK to associate the backend resource with your load balancer.

06 Back to the Backend configuration page, remove any backend service origins from the Backend services section, and choose UPDATE to apply the configuration changes to your load balancer.

07 Repeat steps no. 4 – 6 for each Google Cloud load balancer created for the selected GCP project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run compute backend-buckets create command (Windows/macOS/Linux) to create a new backend bucket and enable Google Cloud CDN for the new backend resource: 

gcloud compute backend-buckets create cc-web-backend-bucket-origin
  --gcs-bucket-name=trendmicro
  --enable-cdn
  --cache-mode=CACHE_ALL_STATIC

02 The command output should return the full URL of the newly created backend bucket: 

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/backendBuckets/cc-web-backend-bucket-origin].
NAME: cc-web-backend-bucket-origin
GCS_BUCKET_NAME: trendmicro
ENABLE_CDN: True

03 Run compute url-maps set-default-service command (Windows/macOS/Linux) to associate your new backend bucket with your Google Cloud load balancer (i.e. URL map) by setting the default backend bucket of the specified URL map: 

gcloud compute url-maps set-default-service cc-external-load-balancer
  --default-backend-bucket=cc-web-backend-bucket-origin
  --global

04 The command output should return the full URL of the modified load balancer: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/urlMaps/cc-external-load-balancer].

05 Repeat steps no. 1 – 4 for each Google Cloud load balancer provisioned for the selected GCP project.

06 Repeat steps no. 1 – 5 for each project created within your Google Cloud Platform (GCP) account.

References

Publication date May 24, 2023

Related CloudCDN rules