Google Cloud Armor Security Policies

tudip-logo

Tudip

05 September 2019

Overview

You can use Google Cloud Armor (GCA) security policies to protect the load-balanced services. These policies are made up of rules that allow or deny traffic from IP addresses or ranges defined in the rule. GCA security policies and the IP deny lists and allow lists are available only for HTTP(S) Load Balancing.

Edge security with IP deny lists/allow lists

Google Cloud Platform HTTP(S) load balancing is implemented at the edge of Google’s network in Google’s Points of Presence (PoP) around the world. User traffic which is directed to an HTTP(S) load balancer enters the PoP closest to the user and is then load-balanced over Google’s global network to the closest backend that has sufficient capacity available.

Cloud Armor IP blacklists/whitelists enable restrict or allow access to HTTP(S) load balancer at the edge of the Google Cloud, as close as possible to the user and to malicious traffic. This prevents malicious users and traffic from entering your Virtual Private Cloud (VPC) networks.

IP deny list/allow list for HTTP(S) Load Balancing has the below features:

  • Ability to create the GCA security policies with a deny list and allow list rules.
  • Ability to associate the GCA security policy with one or more HTTP(S) Load Balancing backend services.

IP addresses allow list and deny list rules in the GCA security policy:

  • Deny listing for IP address/CIDR provides the ability to block the source IP address or CIDR range from accessing HTTP(S) load balancers.
  • Allow listing for IP address/CIDR provides the ability to allow a source IP address or CIDR range to access the HTTP(S) load balancers.
  • Both the IPv4 and IPv6 addresses are supported in allow list and deny list rules.
  • You can configure the deny rule to display a 403, 404, or 502 error code.
  • You can designate the order in which the rules are evaluated when you configure multiple rules.

Preview Mode:

  • You can preview the effects of the rules in security policy in stackdriver logs without enforcing the actions in the rules, you can explicitly enable preview mode in the console.

Logging:

  • The Google Cloud Armor security policy name, matched the rule priority, associated the action, and the related information are logged for HTTP(S) requests to your HTTP(S) load balancer.

Enabling IP allow list or deny list for HTTP(S) Load Balancing

At a high level, these are the steps you can follow for configuring GCA security policies to enable IP allow list/deny list for HTTP(S) Load Balancing.

  1. Create the Google Cloud Armor security policy.
  2. Add the deny list and allow list rules to the policy.
  3. Attach the GCA security policy to the backend service of the HTTP(S) load balancer for which you want to control access.
  4. Update the Google Cloud Armor security policy as per need.

Request a quote