Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable HTTPS for Google Cloud Load Balancers

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: CloudLoadBalancing-002

Ensure that your Google Cloud Platform (GCP) load balancers are configured to use valid SSL/TLS certificates in order to handle encrypted web traffic. SSL certificate resources contain SSL certificate information that the load balancer uses to terminate SSL/TLS when HTTPS clients connect to it.

This rule resolution is part of the Conformity solution.

Security

When your Google Cloud load balancers are not configured to receive HTTPS requests, the connection between clients and load balancers is vulnerable to eavesdropping and Man-In-The-Middle (MITM) attacks. The risk becomes even higher when the application running behind the load balancer is working with sensitive data such as health and personal records, credentials and credit card numbers. Enforcing HTTPS for your GCP load balancers will ensure that the web traffic between client and load balancers is encrypted over SSL/TLS, and the transmitted data is secured.

Audit

To determine if your load balancers are configured to encrypt web traffic, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the load balancer that you want to examine, and check the protocol type configured for the resource, available in the Protocol column. If the protocol type is set to HTTP, the selected Google Cloud load balancer is not using SSL to encrypt web traffic via HTTPS, therefore the communication between the load balancer and its clients is not secure.

06 Repeat steps no. 5 for each GCP load balancer available within the selected project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each load balancer (identified by an URL map) created for the selected project: 

gcloud compute url-maps list
    --project cc-project5-stack-123123
    --format="table(name)"

04 The command output should return the name(s) of the existing load balancer(s): 

NAME
cc-project5-web-load-balancer
cc-project5-app-load-balancer

05 Run compute target-https-proxies list command (Windows/macOS/Linux) using custom query filters to list the name and the associated URL map for each target HTTPS proxy deployed for the selected GCP project. A target HTTPS proxy is a network component which the load balancer uses to associate its URL map and SSL certificates with the global forwarding rules: 

gcloud compute target-https-proxies list
    --project cc-project5-stack-123123
    --format="table(name,urlMap)"

06 The command output should return the requested configuration information. A target HTTPS proxy can be associated only with HTTPS load balancers: 

NAME                                    URL_MAP
cc-project5-app-load-balancer-target-proxy   cc-project5-app-load-balancer

Compare the list with the load balancer names returned at step no. 4 with the list of URL maps displayed in the URL_MAP column to identify the load balancers associated with target HTTPS proxies. The Google Cloud load balancer that is not associated with a target HTTPS proxy (is not listed in the URL_MAP column) is not using SSL to encrypt web traffic via HTTPS, therefore the communication between that load balancer and its clients is not secure.

07 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable HTTPS for your Google Cloud load balancers in order to encrypt the web traffic between clients and your load balancers, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the HTTP load balancer that you want to reconfigure (see Audit section part I to identify the right resource), click on the 3-dot button to access the options menu, then select Edit.

06 On the Edit HTTP(S) load balancer page, select Frontend configuration tab, and choose Add Frontend IP and port to create a new, secure frontend configuration for the selected load balancer.

07 On the frontend configuration panel, perform the following:

  1. In the Name box, provide a name for your new frontend configuration.
  2. Click Add a description to add a short description.
  3. Select HTTPS (includes HTTP/2) from the Protocol dropdown list.
  4. For Network Service Tier choose the appropriate network service tier for the resource.
  5. Select IPv4 from the IP version dropdown list and choose the static IP address configured for the selected load balancer from the IP address dropdown list.
  6. Choose 443 from the Port dropdown list to allow HTTPS traffic.
  7. Click on the Certificate dropdown list and select your primary SSL certificate if you already have a self-managed SSL certificate resource. An SSL certificate resource contains SSL certificate information that the load balancer uses to terminate SSL/TLS when clients connect to it via HTTPS. If you need to create a new SSL certificate resource, select Create a new certificate and upload your self-managed SSL certificate (i.e. public key certificate, certificate chain, and private key). (Optional) Click on Additional certificates link to add more certificate resources in addition to the primary SSL certificate resource.
  8. Select a secure SSL/TLS policy from the SSL policy dropdown list.
  9. For QUIC negotiation select one of the following options:
    • Automatic (Default) to allow Google Cloud to control when QUIC is negotiated. QUIC is a UDP-based encrypted transport protocol optimized for HTTPS. Currently, when Automatic is selected QUIC is disabled. By selecting this option, you are allowing GCP to automatically enable QUIC negotiations and HTTP/3 in the future for the selected load balancer.
    • Enabled to allow the load balancer to negotiate QUIC with clients.
    • Disabled to prevent the load balancer from negotiating QUIC with clients.
  10. Click Done to create the new frontend configuration.

08 On the Edit HTTP(S) load balancer page, click Update to associate the newly created HTTPS frontend configuration with the selected Google Cloud load balancer.

09 Repeat steps no. 5 – 8 to enable HTTPS for other insecure load balancers deployed for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 To create a global SSL certificate resource for your external Google Cloud load balancers, run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter. Replace <ssl-certificate-file> and <private-key-file> with your own self-managed certificate files: 

gcloud compute ssl-certificates create cc-project5-ssl-certificate
    --global
    --certificate=<ssl-certificate-file>
    --private-key=<private-key-file>

02 The command output should return the URL of the new SSL certificate resource: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/sslCertificates/cc-project5-ssl-certificate].

03 Run compute target-https-proxies create command (Windows/macOS/Linux) using the name of the GCP load balancer that you want to reconfigure as identifier parameter and the name of the newly created SSL certificate resource as command parameter, to create a target HTTPS proxy that routes requests to the selected load balancer (identified by the URL map). The HTTPS proxy is the component of the load balancer that holds your SSL certificate for secure load balancing: 

gcloud compute target-https-proxies create cc-project5-web-load-balancer-target-proxy
    --url-map cc-project5-web-load-balancer
    --ssl-certificates cc-project5-ssl-certificate

04 The command output should return the URL of the newly created HTTPS proxy: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/targetHttpsProxies/cc-project5-web-load-balancer-target-proxy].

05 Run compute forwarding-rules create command (Windows/macOS/Linux) to create a global forwarding rule that routes incoming requests to the target HTTPS proxy created at the previous steps in order to enable HTTPS for the associated Google Cloud load balancer. Replace <ipv4-address> with the static IPv4 address configured for the selected load balancer: 

gcloud compute forwarding-rules create cc-project5-https-frontend-config
    --global
    --address=<ipv4-address>
    --target-https-proxy=cc-project5-web-load-balancer-target-proxy
    --ports=443

06 The command output should return the URL of the new load balancer forwarding rule: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/forwardingRules/cc-load-balancer-https-frontend-config].

07 Repeat steps no. 1 – 6 to enable HTTPS for other insecure load balancers available within the selected project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Related CloudLoadBalancing rules