Google Compute Engine

Instances Not Multi Zonal

Ensure that the Compute Instances are multi zonal.

Risk Level: Low

Description

This plugin ensures that new instances are launched as regional instance groups. Managed instances can exist in single or multiple zones. A managed instance group can be created by selecting a zone or a region depending on the group type and the instance template. 

About the Service

Google Cloud Compute Engine:

Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

Impact

If your instance is not multi-zonal, then it will not be distributed across multiple zones but would exist in only one zone. This poses a serious threat in the case where all instances in that zone fail. As a result, it decreases the reliability and resilience of the Virtual Machine (VM) instance and makes it vulnerable to failure in the event of any faults or malfunctions.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
  4. In the list of instances table, check the value under the in use by column to find out if the particular instance is part of any instance group. Since only those instances that are part of any instance group can be regional, if the instance is not part of any instance group then the selected instance is not multi-zonal.
  5. Repeat step 4 for all the VM instances you want to investigate in the selected project.
  6. If you have multiple projects that you want to investigate, repeat steps 2-5 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require your instances to not be multi-zonal. If not, make the necessary changes using the steps below.

Note: In the case of a managed instance group, new instances cannot be added once the instance group is created. Since only managed instance groups can exist in multiple zones, to make the required instance multi-zonal, you need to create a new instance group.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select Instance groups. You can use this link (https://console.cloud.google.com/compute/instanceGroups) to navigate directly if you’re already logged in.
  4. From the top navigation bar, click on the Create instance group button.
  5. Under the Location section, select Multiple zones to make your instance multi-zonal.
  6. Configure the remaining settings according to the instance you are trying to recreate. Then click Create to create the regional instance group.
  7. You can then delete the previous instance to avoid unwanted billing charges by using the delete button on the top navigation bar, if required.
  8. Repeat step 4 to 7 for all the VM instances you want to recreate in the selected project.
  9. If you have multiple projects that you want to investigate, repeat steps 2 to 8 for each project in your GCP console.