Google Compute Engine

VM Instance On Host Maintenance Not Configured

Ensures that VM instances are configured to migrate in the event of any maintenance.

Risk Level: Low

Description

This plugin ensures that the Compute Engine VM Instances have on host maintenance set to migrate. “On host maintenance” is an availability policy that determines the behaviour of a VM instance when there is any maintenance event. If it is set to migrate, then the instance is migrated to a new hardware configuration. 

About the Service

Google Cloud Compute Engine:

Google Cloud Compute Engine is a service that allows you to create Virtual Machines based on your preferences and run them on Google’s infrastructure. You can either use their predefined machines with certain default configurations or create your own custom Virtual Machine to meet your exact requirements. To know more, read here

Impact

When the on-host maintenance availability policy is configured to terminate, the VM is halted instead of being migrated to new hardware. This will result in VM instances being inefficient, as it may cause problems during maintenance events.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
  4. Select the VM instance you want to investigate from the list of instances and go to the Details tab to examine the details of the VM instance selected.
  5. Scroll down to the Availability policies section and check the On host maintenance status. If it is set to Terminate VM instance, then this selected Virtual Machine (VM) instance then SentinelOne CNS strongly recommends reconfiguring this setting.
  6. Repeat steps 4 and 5 for all the VM instances you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2-6 for each project in your GCP console.

Steps for Remediation

Follow the steps given below to reconfigure your on host maintenance availability policy from terminate to migrate.


Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Compute Engine and select VM Instances. You can use this link (https://console.cloud.google.com/compute) to navigate directly if you’re already logged in.
  4. From the list of instances, choose the VM instance you want to reconfigure. (In case you aren’t sure which instance needs to be configured, follow the steps to reproduce listed above to determine which instance to choose.)
  5. Select the Edit option from the top navigation bar of the VM instance details page.
  6. Scroll down to the Availability policies section and click the Migrate VM instance option from the drop-down menu available for On host maintenance.
    Note: 
    • If the machine type is E2 then the host maintenance setting cannot be changed. 
    • If it is a preemptible VM, the instance will terminate and not migrate in the case of any maintenance event.
  7. Click the SAVE button to apply the changes.
  8. Repeat steps 4 to 7 for all the VM instances you want to reconfigure in the selected project.
  9. If you have multiple projects, repeat steps 2 to 8 for each project in your GCP console.