Automatically deploy Adaptive Protection suggested rules

Stay organized with collections Save and categorize content based on your preferences.

This document provides configuration steps for automatically deploying the suggested rules that Adaptive Protection generates. To enable automatic rule deployment, you must create a placeholder rule with the following values:

  • Match expression: evaluateAdaptiveProtectionAutoDeploy()
  • Action: Any
  • Priority: Any. We recommend that you set an explicit allow rule at a higher priority than your other rules for high-priority, legitimate traffic.

If you use an upstream proxy in front of your external HTTP(S) load balancer such as a third-party CDN, we recommend that you do not configure automatic rule deployment due to the risk of unintentionally blocking traffic from the upstream proxy.

Example placeholder rules

The following commands are example placeholder rules for security policies called POLICY_NAME, each of which features a different rule action. You can add these rules to an existing security policy or create a new policy. For more information about creating security policies, see Configuring Google Cloud Armor security policies.

Block malicious traffic

This example rule evaluates to true for requests that Adaptive Protection identifies as attack traffic. Google Cloud Armor applies the blocking action to the attacking request:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action deny-403

Redirect malicious traffic to a reCAPTCHA challenge

This example rule redirects traffic that Adaptive Protection identifies as malicious to a reCAPTCHA challenge:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action redirect \
    --redirect-type google-recaptcha

Rate limit malicious traffic

This example applies Google Cloud Armor rate limiting to traffic that Adaptive Protection identifies as malicious:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action throttle \
    --rate-limit-threshold-count 500 \
    --rate-limit-threshold-interval-sec 120 \
    --conform-action allow \
    --exceed-action deny-404 \
    --enforce-on-key ip

Configure sensitivity parameters

You can configure the sensitivity of automatically deployed rules by tuning the following parameters. If you do not configure a parameter, Google Cloud Armor uses the default value:

  • Load threshold: During an alerted attack, Adaptive Protection identifies new attackers only when the load to the backend service that is under attack exceeds this threshold.
    • Default value: 0.8
  • Confidence threshold: Rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.
    • Default value: 0.5
  • Impacted baseline threshold: Rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.
    • Default value: 0.01
  • Expiration set: Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.
    • Default value: 7200

You can use the following example command to update a security policy to use non-default sensitivity parameters. Replace NAME with the name of your security policy, and replace the remaining variables with the values that you want for your policy.

gcloud beta compute security-policies update NAME [
    --layer7-ddos-defense-auto-deploy-load-threshold LOAD_THRESHOLD
    --layer7-ddos-defense-auto-deploy-confidence-threshold CONFIDENCE_THRESHOLD
    --layer7-ddos-defense-auto-deploy-impacted-baseline-threshold IMPACTED_BASELINE_THRESHOLD
    --layer7-ddos-defense-auto-deploy-expiration-sec EXPIRATION_SEC
]

Limitations

  • Configuration parameters, including sensitivity, cannot be configured by using the Google Cloud console.
  • We recommend that you do not use automatic rule deployment when using upstream proxies.
  • Adaptive Protection is only available for backend security policies attached to backend services that are exposed through an external HTTP(S) load balancer. Adaptive Protection is not available for external SSL proxy load balancers or external TCP proxy load balancers.