Use Google-Managed SSL Certificates for Application Load Balancers

Risk Level: High (act today)

Ensure that your external Application Load Balancers (ALBs) are configured to Google-managed SSL certificates instead of self-signed certificates in order to avoid triggering browser warnings and adding distrust for users visiting your site.

Security

Google-managed SSL certificates offer several advantages over self-signed ones for external Application Load Balancers. They provide automatic renewal, eliminate the need for manual management, and are trusted by most modern browsers, ensuring better compatibility and security. Additionally, they offer built-in support for advanced features like HTTP/2 and QUIC, enhancing performance and user experience. Google-managed SSL certificates offer a more secure, automated, and user-friendly approach.

Audit

To determine if your external Application Load Balancers are using Google-managed SSL certificates, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Network services console available at https://console.cloud.google.com/net-services/.

04 In the navigation panel, choose Load balancing, and select the LOAD BALANCERS tab to list all the load balancers created for the selected GCP project.

05 Click inside the Filter box, select Load balancer type and Application, choose Access type and External, and select Protocols and HTTPS, to list only the HTTPS-ready external Application Load Balancers (ALBs) available in your project.

06 Click on the name of the Application Load Balancer that you want to examine and select the DETAILS tab to access the configuration information available for the selected ALB.

07 In the Frontend section, click on the name (link) of the SSL certificate configured for the target HTTPS proxy, listed in the Certificate column.

08 On the Certificate details page, check the type of the SSL certificate used by your load balancer, listed under the certificate name. If the certificate type is self-signed (i.e. the Google Cloud console displays Self-signed certificate for \), the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.

09 Repeat steps no. 6 - 8 for each external Application Load Balancer available in the selected GCP project.

10 Repeat steps no. 2 – 9 for each project deployed within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account:

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s):

PROJECT_ID
cc-web-app-project-112233
cc-bigdata-project-123123

03 Run compute url-maps list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom filtering to list the name of each load balancer provisioned for the selected project:

gcloud compute url-maps list 
  --project cc-web-app-project-112233 
  --format="table(name)"

04 The command output should return the requested identification information:

NAME: tm-project5-load-balancer

05 Run compute target-https-proxies list command (Windows/macOS/Linux) to list all the Google Compute Engine target HTTPS proxies available within the selected GCP project in order to identify the target HTTPS proxy used by your load balancer and the SSL certificate configured for the associated HTTPS proxy:

gcloud compute target-https-proxies list
  --project cc-web-app-project-112233
  --global
  --format="table(name,urlMap,sslCertificates)"

06 The command output should return the requested configuration information:

NAME: tm-project5-load-balancer-target-proxy
URL_MAP: tm-project5-load-balancer
SSL_CERTIFICATES: tm-alb-ssl-certificate

07 Run certificate-manager certificates describe command (Windows/macOS/Linux) to display all the information associated with the specified SSL certificate:

gcloud certificate-manager certificates describe tm-alb-ssl-certificate 
  --project cc-web-app-project-112233

08 The command output should return the requested configuration information:

ERROR: (gcloud.certificate-manager.certificates.describe) NOT_FOUND: Resource 'projects/cc-web-app-project-112233/locations/global/certificates/tm-alb-ssl-certificate' was not found 
- '@type': type.googleapis.com/google.rpc.ResourceInfo
resourceName: projects/cc-web-app-project-112233/locations/global/certificates/tm-alb-ssl-certificate

If the certificate-manager certificates describe command output returns a 404 (not found) error message, as the one shown in the output example above, the certificate configured for your target HTTPS proxy is self-signed, therefore, the selected Application Load Balancer (ALB) is not configured to use a Google-managed SSL certificate.

09 Repeat steps no. 5 - 8 for each external Application Load Balancer available in the selected GCP project.

10 Repeat steps no. 3 – 9 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To configure Google-managed SSL certificates for your external Application Load Balancers (ALBs), perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Network services console available at https://console.cloud.google.com/net-services/.

04 In the navigation panel, choose Load balancing, and select the LOAD BALANCERS tab to list all the load balancers created for the selected GCP project.

06 Choose the Application Load Balancer that you want to configure, click on the 3-dot button to open the bucket options menu, and select Edit.

07 Choose Frontend configuration, select the frontend configuration defined for your load balancer, click inside the Certificate box, and choose CREATE NEW CERTIFICATE to deploy a new Google-managed SSL certificate.

08 On the Create a Certificate setup panel, enter a unique name and a short description for the new certificate, select Create Google-managed certificate under Create mode, provide your domain name, and choose CREATE to create your new Google-managed SSL certificate.

09 Select the new SSL certificate, choose OK, and select DONE to save the frontend configuration changes.

10 Choose UPGRADE to apply the changes and assign the new Google-managed SSL certificate to the selected Application Load Balancer (ALB).

11 Repeat steps no. 6 - 10 for each external Application Load Balancer that you want to configure, available in the selected GCP project.

12 Repeat steps no. 2 – 11 for each project deployed within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 To create a new Google-managed SSL certificate for your external Application Load Balancer (ALB), run compute ssl-certificates create command (Windows/macOS/Linux) with the --global parameter:

gcloud compute ssl-certificates create tm-alb-managed-ssl-certificate
  --global
  --description="Google-managed SSL certificate for your external Application Load Balancer"
  --domains="domain.com"

02 The command output should return the URL of the new managed SSL certificate:

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/sslCertificates/tm-alb-managed-ssl-certificate].

03 Once the SSL certificate is active, run compute target-https-proxies update command (Windows/macOS/Linux) to associate the new Google-managed SSL certificate with the target HTTPS proxy configured for your Application Load Balancer (ALB):

gcloud compute target-https-proxies update tm-project5-load-balancer-target-proxy 
  --ssl-certificates tm-alb-managed-ssl-certificate 
  --global-ssl-certificates 
  --global

04 The command output should return the URL of the updated HTTPS proxy:

Created [https://www.googleapis.com/compute/v1/projects/cc-web-app-project-112233/global/targetHttpsProxies/tm-project5-load-balancer-target-proxy].

05 Repeat steps no. 1 - 4 for each external Application Load Balancer that you want to configure, available in the selected GCP project.

06 Repeat steps no. 1 – 5 for each project deployed within your Google Cloud Platform (GCP) account.

References

Google Cloud Platform (GCP) Documentation
SSL certificates overview
Use Google-managed SSL certificates
Encryption from the load balancer to the backends
External Application Load Balancer overview
Request routing to a multi-region classic Application Load Balancer
Set up a classic Application Load Balancer with a managed instance group backend

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud compute url-maps list
gcloud compute target-https-proxies list
gcloud certificate-manager certificates describe
gcloud compute ssl-certificates create
gcloud compute target-https-proxies update

Publication date Mar 26, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudLoadBalancing rules