Are you currently experiencing an attack?

Are you currently experiencing an attack?

Changes to GCP load balancer behavior

This announcement is for Reblaze customers who use Google Cloud Platform, and manage their own infrastructure. A change to GCP’s default behavior is pending that you will need to address. 

(If you are a SaaS customer, we have already made this change for you.)

Background:

On Jan 19th, 2022, Google announced that a gradual update has been started that will change default behavior for HTTP/3 and Google QUIC for global external HTTP(S) load balancers.

The new default setting of quicOverride=NONE will now advertise support for HTTP/3 to end users.

Here are the different flag options supported and their behaviors:

quicOverride value Behavior
NONE HTTP/3 and Google QUIC are not advertised to clients.

Important: This behavior is changing. The default setting of quicOverride=NONE will advertise support for HTTP/3 to your clients. This is the change that is currently being rolled out globally.
ENABLE Support for HTTP/3 and Google QUIC are advertised to clients. HTTP/3 is advertised at a higher priority. Clients that support both protocols should prefer HTTP/3 over Google QUIC.

Note: TLS 0-RTT (also known as TLS Early Data) is implicitly supported when Google QUIC is negotiated by the client, but it is not currently supported when HTTP/3 is used.
DISABLE Explicitly disables advertising HTTP/3 and Google QUIC to clients.


How HTTP/3 is negotiated

When HTTP/3 is enabled, the load balancer advertises this support to clients, allowing clients that support HTTP/3 to attempt to establish HTTP/3 connections with the HTTPS load balancer.

  • Properly implemented clients always fall back to HTTPS or HTTP/2 when they cannot establish a QUIC connection.
  • Clients that support HTTP/3 use their cached prior knowledge of HTTP/3 support to save unnecessary round-trips in the future.
  • Because of this fallback, enabling or disabling QUIC in the load balancer does not disrupt the load balancer’s ability to connect to clients.

Our analysis has found that broken or older client implementations that do not support HTTP/3 or QUIC are unable to properly negotiate an HTTP/3 connection. This may result in all traffic coming from those clients to be dropped.

Please be advised: Although this change is being rolled out gradually, any changes to your GCP LB configuration will trigger this GCP update to take effect immediately, which will change the QUIC protocol configuration flag. This might impact your service.

Reblaze recommendation: 

Since you manage your own GCP infrastructure, we are not able to make any changes for you. We recommend that you quickly make the changes below, to avoid any potential impact to your traffic.

If you currently don’t need HTTP/3 and/or QUIC negotiation support and don’t want this behavior to change, please disable QUIC protocol negotiation configuration on your GCP load balancers. This can be done via one of the three different GCP interfaces:

  • Console
  • gcloud
  • API

Instructions for each are below.

Instructions for Console

  1. In the Google Cloud Console, go to the Load balancing page.
  2. Select the load balancer that you want to edit.
  3. Click Frontend configuration
  4. Select the frontend IP address and port that you want to edit. To edit HTTP/3 configurations, the IP address and port must be HTTPS (port 443)
  5. Select the QUIC negotiation drop-down.
  6. To explicitly disable HTTP/3 for this frontend, select Disabled.
  7. If you have multiple frontend rules representing IPv4 and IPv6, make sure to disable HTTP/3 for each rule.

Instructions for gcloud

Before you run this command, you must create an SSL certificate resource for each certificate.

gcloud compute target-https-proxies create HTTPS_PROXY_NAME
--global
--quic-override=DISABLE

Instructions for API

POST https://www.googleapis.com/v1/compute/projects/PROJECT_ID/global/targetHttpsProxies/TARGET_PROXY_NAME/setQuicOverride
{
"quicOverride": DISABLE
}


You should replace HTTPS_PROXY_NAME, PROJECT_ID and TARGET_PROXY_NAME with the relevant values on gcloud and API commands mentioned above.


Additional Information

Here are some links where you can find more information about this recent update:

Questions?

We are always here for you if you have any questions, or need assistance.

The Reblaze Support Team

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.