You manage a web application that runs on Compute Engine instances across multiple zones. A critical software vulnerability has been reported, and the vendor has provided a patch. The application needs to remain available during the patching process. What should you do?