Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable End-to-End HTTP/2 for Cloud Run Services

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that end-to-end HTTP/2 support is enabled for your Cloud Run services in order to benefit from the performance enhancements introduced by the HTTP/2 protocol.

Performance
efficiency

Enabling end-to-end HTTP/2 for Cloud Run services improves performance by reducing latency, enabling multiplexed streams over a single connection, and allowing for faster data transfer. It also provides better resource efficiency, as multiple requests can be handled simultaneously over the same connection, reducing connection overhead.

Audit

To determine if end-to-end HTTP/2 support is enabled for Cloud Run services, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

04 Select the SERVICES tab to view the Cloud Run services deployed for the selected GCP project.

05 Click on the name (link) of the service that you want to examine, listed in the Name column.

06 Select the REVISIONS tab, choose the active revision used by the selected service (the revision with the green check mark icon), select the NETWORKING tab, and check the HTTP/2 feature status. If the HTTP/2 status is set to Disabled, end-to-end HTTP/2 support is not enabled for the selected Cloud Run service.

07 Repeat steps no. 5 and 6 for each Cloud Run service created for the selected GCP project.

08 Repeat steps no. 2 - 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project ID(s): 

cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run services list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each Cloud Run service deployed within the selected project: 

gcloud run services list
	--project cc-bigdata-project-123123
	--format="(NAME,REGION)"

04 The command output should return the requested service names and the associated regions: 

NAME: cc-project5-service
REGION: us-central1

NAME: tm-stream-service
REGION: us-central1

NAME: tm-vertex-service
REGION: us-central1

05 Run services describe command (Windows/macOS/Linux) with the name of the Cloud Run service that you want to examine as the identifier parameter, to determine if end-to-end HTTP/2 support is enabled for the selected service: 

gcloud run services describe cc-project5-service
	--region=us-central1
	--format="value(spec.template.spec.containers[].ports[].name)"

06 The command output should return the name of the HTTP protocol used to handle requests: 

['http1']

If the run services describe command output returns ['http1'], as shown in the example above, end-to-end HTTP/2 support is not enabled for the selected Cloud Run service.

07 Repeat steps no. 5 and 6 for each Cloud Run service created for the selected GCP project.

08 Repeat steps no. 3 – 6 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that end-to-end HTTP/2 support is enabled for your Google Cloud Run services, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Run console available at https://console.cloud.google.com/run/.

04 Select the SERVICES tab to access the Cloud Run services deployed for the selected GCP project.

05 Click on the name (link) of the service that you want to configure, listed in the Name column.

06 Choose EDIT & DEPLOY NEW REVISION, select the NETWORKING tab, and check the Use HTTP/2 end-to-end setting checkbox to enable end-to-end HTTP/2 support for the selected Cloud Run service. Choose DEPLOY to apply the configuration changes and deploy a new revision for the selected service. Subsequent revisions will also automatically get this configuration setting.

07 Repeat steps no. 5 and 6 for each Cloud Run service that you want to configure, available within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run services update command (Windows/macOS/Linux) with the name of the Cloud Run service that you want to configure as the identifier parameter, to enable end-to-end HTTP/2 support for the selected service. Enabling end-to-end HTTP/2 will deploy a new revision of the service: 

gcloud run services update cc-project5-service
	--region=us-central1
	--use-http2

02 The command output should return the build information available for the redeployed service: 

OK Deploying... Done.
	OK Creating Revision...
	OK Routing traffic...
Done.

Service [cc-project5-service] revision [cc-project5-service-00003-abc] has been deployed and is serving 100 percent of traffic.
Service URL: https://cc-project5-service-123456789012.us-central1.run.app

03 Repeat steps no. 1 and 2 for each Cloud Run service that you want to configure, available in the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Nov 19, 2024

Related CloudRun rules