Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Maintenance Behavior for VM Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)

When Google Cloud Compute Engine performs periodic infrastructure maintenance it can migrate your virtual machine instances to other hardware without downtime. The virtual machine maintenance behavior determines whether the VM instances are live migrated or terminated during a maintenance event. To ensure that your Google Cloud VM instances are migrated to new hardware, set "On Host Maintenance" configuration setting to "Migrate".

Reliability

The maintenance events performed by the Compute Engine service include hardware and software updates. Some of these maintenance events require Google Cloud to move your virtual machine (VM) instances away from the host that is undergoing maintenance. A VM instance`s availability policy determines how the instance behaves when there is a maintenance event that involves moving the virtual machine to another host. Compute Engine will live migrate your VM instance if you configured the instance`s availability policy to use live migration instead of instance termination. This prevents your production applications from experiencing disruptions during maintenance events.

Audit

To determine the maintenance behavior configured for your virtual machine instances, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the instance that you want to examine.

06 Select the Details tab to access the VM instance configuration details.

07 On the Details panel, in the Availability policies section, check the On host maintenance configuration setting status. If On host maintenance is set to Terminate VM instance, the selected Google Cloud virtual machine instance is terminated (not migrated) during a maintenance event, therefore the maintenance behavior configured for the verified instance is not compliant.

08 Repeat step no. 5 – 7 for each virtual machine (VM) instance created for the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned for the selected project: 

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project: 

NAME                      ZONE
cc-backend-vm-instance    us-central1-a
cc-frontend-vm-instance   us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the maintenance behavior configuration (i.e. "On Host Maintenance" setting value), available for the selected virtual machine (VM) instance: 

gcloud compute instances describe cc-backend-vm-instance
	--zone us-central1-a
	--format="value(scheduling.onHostMaintenance)"

06 The command output should return the "On Host Maintenance" configuration setting value: 

TERMINATE

If the compute instances describe command output returns TERMINATE, the selected Google Cloud virtual machine instance is terminated and not migrated during a maintenance event, therefore the maintenance behavior configured for the verified instance is not compliant.

07 Repeat step no. 5 and 6 for each virtual machine instance launched within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To change the maintenance behavior for your Google Cloud virtual machine (VM) instances in order to live migrate your instances during maintenance events instead of terminate them, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right resource).

06 On the selected resource configuration page, click EDIT to access the instance edit mode.

07 In the Availability policies section, select Migrate VM instance (recommended) from the On host maintenance dropdown list, to migrate (instead of terminate) the selected Google Cloud VM instance during maintenance events.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 to modify the maintenance behavior for other virtual machine (VM) instances available in the selected project.

10 Repeat steps no. 2 – 9 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances set-scheduling command (Windows/macOS/Linux) using the name of the instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to change the maintenance behavior for the selected Google Cloud virtual machine instance from TERMINATE to MIGRATE. Once the maintenance policy is set to MIGRATE, the VM instance should be migrated to a new host during maintenance: 

gcloud compute instances set-scheduling cc-backend-vm-instance
	--zone us-central1-a
	--maintenance-policy=MIGRATE

02 The command output should return the URL of the reconfigured virtual machine instance: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-backend-vm-instance].

03 Repeat step no. 1 and 2 to change the maintenance behavior for other virtual machine (VM) instances created for the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed within your Google Cloud account.

References

Publication date May 4, 2021

Related ComputeEngine rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Configure Maintenance Behavior for VM Instances

Risk Level: High