Enable Automatic Restart for VM Instances

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

To improve reliability, ensure that Google Cloud Compute Engine service restarts automatically your virtual machine instances when they are terminated due to non-user initiated reasons such as maintenance events, hardware, and software failures.

Reliability

The Automatic Restart feature configures the virtual machine restart behavior when an instance crashes or it is terminated by the system. When the feature is enabled, Google Cloud Compute Engine restarts the instance if this crashes or it is terminated. This behavior does not affect any terminations initiated by the user, for example, when the instance is taken offline through a user action, such as calling sudo shutdown.


Audit

To determine if automatic restart is enabled for your virtual machine instances, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with the virtual machine (VM) instances provisioned for the selected project.

05 Click on the name of the VM instance that you want to examine.

06 Select the Details tab to access the instance configuration details.

07 On the Details panel, in the Availability policies section, check the Automatic restart configuration setting status. If Automatic restart is set to Off, the selected Google Cloud virtual machine instance is not automatically restarted when the instance crashes or is terminated.

08 Repeat step no. 5 – 7 for each virtual machine (VM) instance created within the selected project.

09 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

03 Run compute instances list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name and zone for each VM instance provisioned for the selected project:

gcloud compute instances list
	--project cc-web-stack-project-123123
	--format="table(name,zone)"

04 The command output should return the name(s) of the instance(s) within the selected GCP project:

NAME                      ZONE
cc-frontend-vm-instance   us-central1-a
cc-backend-vm-instance    us-central1-a
cc-custom-db-instance     us-central1-a

05 Run compute instances describe command (Windows/macOS/Linux) using the name and the zone of the instance that you want to examine as identifier parameter and custom filtering to describe the automatic restart configuration setting status, available for the selected VM instance:

gcloud compute instances describe cc-frontend-vm-instance
	--zone us-central1-a
	--format="value(scheduling.automaticRestart)"

06 The command output should return the requested setting status (True for enabled, False for disabled):

False

If the compute instances describe command output returns False, the automatic restart configuration setting is disabled, therefore the selected Google Cloud virtual machine instance is not automatically restarted when the instance crashes or is terminated.

07 Repeat step no. 5 and 6 for each virtual machine instance launched within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable automatic restart for your production Google Cloud virtual machine (VM) instances, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Google Compute Engine dashboard at https://console.cloud.google.com/compute.

04 In the navigation panel, select VM instances to access the list with all the Compute Engine instances provisioned for the selected project.

05 Click on the name of the virtual machine (VM) instance that you want to reconfigure (see Audit section part I to identify the right instance).

06 On the selected resource configuration page, click EDIT to enter the instance edit mode.

07 In the Availability policies section, select On (recommended) from the Automatic restart dropdown list to enable automatic restart for the selected Google Cloud virtual machine instance.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 to enable automatic restart for other production virtual machine (VM) instances available in the selected project.

10 Repeat steps no. 2 – 9 for each GCP project created within your Google Cloud account.

Using GCP CLI

01 Run compute instances set-scheduling command (Windows/macOS/Linux) using the name of the instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to enable automatic restart for the selected Google Cloud VM instance. Once this setting is enabled, the selected instance will be restarted if crashes or it is terminated by the Compute Engine service:

gcloud compute instances set-scheduling cc-frontend-vm-instance
	--zone us-central1-a
	--restart-on-failure

02 The command output should return the URL of the reconfigured virtual machine instance:

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-stack-project-123123/zones/us-central1-a/instances/cc-frontend-vm-instance].

03 Repeat step no. 1 and 2 to enable automatic restart for other production virtual machine (VM) instances created for the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed within your Google Cloud account.

References

Publication date May 4, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Automatic Restart for VM Instances

Risk level: Medium