Overview
Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load balanced backend services or backend buckets. Each security policy is made up of a set of rules that filter traffic based on conditions such as an incoming request’s IP address, IP range, region code, or request headers.
Google Cloud Armor security policies are available only for backend services behind an external HTTP(S) load balancer. The load balancer can be in Premium Tier or Standard Tier.
The backends to the backend service can be any of the following:
- Instance groups
- Zonal network endpoint groups (NEGs)
- Serverless NEGs: One or more App Engine, Cloud Run, or Cloud Functions services
- Internet NEGs for external backends
- Buckets in Cloud Storage
When you use Google Cloud Armor to protect a hybrid deployment or a multi-cloud architecture, the backends must be internet NEGs. Google Cloud Armor also protects serverless NEGs when traffic is routed through a load balancer. To ensure that only traffic that has been routed through your load balancer reaches your serverless NEG, see Ingress controls.
Lab Details:
- This lab walks you through Traffic blacklisting using Cloud Armor.
- You will create a Cloud Armor Security Policy to block the traffic.
Lab Tasks:
- Creating an HTTP Load Balancer.
- Creating a Test Instance.
- Creating a Security Policy.
- Testing the Output.
Creating an Instance Template
- Click on the hamburger icon on the top left corner
- Click on Compute Engine under Compute Section
- In the left sidebar, click on Instance templates
- Click on Create Instance Template from the top bar.
- Enter any Instance Template name like cloudblogg-instance-template
- Choose the machine series as N1
- Choose the machine type as n1-standard-1
- Check the Allow HTTP Traffic firewall rule to allow HTTP Traffic
- Expand the given section to write the automation script
- Write the below script in the startup script input box
#! /bin/bash
apt-get update -y
apt-get install apache2 -y
apt-get install php7.0 -y
mv /var/www/html/index.html /var/www/html/index.php
cat <<EOF > /var/www/html/index.php
<html><body><h1>Welcome to Whizlabs</h1>
</body></html>
EOF
- Click on Create.
Creating an Instance Group
- In the left sidebar, click on Instance groups
- Click on Create Instance Group
- Enter any name like cloudblogg-instance-group.
- Choose the location a Single Zone and region as us-central1
- Choose the instance template which you created in previous steps
- Click on the edit button as shown to change the configuration settings
- Change the target CPU Utilization to 80
- Enter the minimum and a maximum number of instances as 1 and 5 resp.
- Click on Create.
Creating a VM instance
- In the left sidebar, click on VM Instances
- Click on Create Instance
3. Enter any instance name like armor-instance. This is your test instance.
Choose the machine series as N1
4. Choose the machine type as n1-standard-1
5. Click on Create.
You can see the listed instance, click on the SSH button and keep the SSH window open, you will use this SSH window later to test the output
Creating a HTTP Load Balancer
- Click on the hamburger icon on the top left corner
2. Click on Network services under the networking section
3. Click on Create Load Balancer
4. Choose HTTP(s) Load Balancing and click on Start configuration.
5. Choose the Internet-facing option and click on continue.
6. Enter the load balancer name like cloudblogg-lb
7. Click on Backend Configuration.
In backend configuration, click on the shown drop-down menu.
8. Click on Create a backend service
9. Enter any name like cloudblogg-backend.
10. Choose the instance group which you created earlier
11. Enter the port number as 80 and 8080
12. Click on the health check drop-down menu
13. Click on Create a health check
14. Enter any name like cloudblogg-health. Keep the other option as is and click on Save.
15. Click on Create.
16. Click OK.
17. Leave host and path rules as is.
18. Choose frontend configuration
19. Enter any name like cloudblogg-frontend.
20. Choose the protocol as HTTP and port80and keep the other options as is and click on Done
21. Click on Create.
22. Click on the load balancer created and click on the load balancer name, make a note of IP address of the load balancer listed.
Note: Please wait for a few minutes until you see the ready CHECK mark like above.
23. Navigate to the SSH window of VM instance called “armor-instance” we had earlier created . Enter the command as given below. You will see the output below till now nothing is blocked.
curl <ip_address of Load Balancer>
Configuring Cloud Armor and Testing Security Policy
- Click on the hamburger icon on the top left corner
2. Click on Network security under the networking section
3. Click on Create Policy
4. Enter any policy name like forbid-policy
5. Choose the default rule action as deny and status as 403 Forbidden
6. Click on Add Target in Apply policy to targets section
7. Choose the type as Load Balancer backend and Select the target as your Load Balancer
8. Click on Create Policy.
9. Navigate to the SSH window. Enter the command as given below. You will see the output below as forbidden.
curl <ip_address of Load balancer>curl 35.208.103.187
Note: This might take around 2-3 minutes to propagate the changes. You may see a message Welcome to Whizlabs, but keep running the command again.
Completion and Conclusion:
- In this lab, you have created an HTTP Load Balancer
- You have created a Test Instance.
- You have created a Cloud Armor Security Policy.
- You have tested the final output.
Happy Learning !!!
Reading your article helped me a lot and I agree with you. But I still have some doubts, can you clarify for me? I’ll keep an eye out for your answers.
Your article helped me a lot, thanks for the information. I also like your blog theme, can you tell me how you did it?