This document provides configuration steps for automatically deploying the suggested rules that Adaptive Protection generates. To enable automatic rule deployment, you must create a placeholder rule with the following values:
- Match expression:
evaluateAdaptiveProtectionAutoDeploy()
- Action: Any
- Priority: Any. We recommend that you set an explicit allow rule at a higher priority than your other rules for high-priority, legitimate traffic.
If you use an upstream proxy in front of your external HTTP(S) load balancer such as a third-party CDN, we recommend that you do not configure automatic rule deployment due to the risk of unintentionally blocking traffic from the upstream proxy.
Example placeholder rules
The following commands are example placeholder rules for security policies
called POLICY_NAME
, each of which features a different rule action.
You can add these rules to an existing security policy or create a new policy. For
more information about creating security policies, see
Configuring Google Cloud Armor security policies.
Block malicious traffic
This example rule evaluates to true
for requests that Adaptive Protection
identifies as attack traffic. Google Cloud Armor applies the blocking
action to the attacking request:
gcloud compute security-policies rules create 1000 \ --security-policy POLICY_NAME \ --expression "evaluateAdaptiveProtectionAutoDeploy()" \ --action deny-403
Redirect malicious traffic to a reCAPTCHA challenge
This example rule redirects traffic that Adaptive Protection identifies as malicious to a reCAPTCHA challenge:
gcloud compute security-policies rules create 1000 \ --security-policy POLICY_NAME \ --expression "evaluateAdaptiveProtectionAutoDeploy()" \ --action redirect \ --redirect-type google-recaptcha
Rate limit malicious traffic
This example applies Google Cloud Armor rate limiting to traffic that Adaptive Protection identifies as malicious:
gcloud compute security-policies rules create 1000 \ --security-policy POLICY_NAME \ --expression "evaluateAdaptiveProtectionAutoDeploy()" \ --action throttle \ --rate-limit-threshold-count 500 \ --rate-limit-threshold-interval-sec 120 \ --conform-action allow \ --exceed-action deny-404 \ --enforce-on-key ip
Configure sensitivity parameters
You can configure the sensitivity of automatically deployed rules by tuning the following parameters. If you do not configure a parameter, Google Cloud Armor uses the default value:
- Load threshold: During an alerted attack, Adaptive Protection identifies
new attackers only when the load to the backend service that is under attack
exceeds this threshold.
- Default value:
0.8
- Default value:
- Confidence threshold: Rules are only automatically deployed for alerts on
potential attacks with confidence scores greater than this threshold.
- Default value:
0.5
- Default value:
- Impacted baseline threshold: Rules are only automatically deployed when the
estimated impact to baseline traffic from the suggested mitigation is
below this threshold.
- Default value:
0.01
- Default value:
- Expiration set: Google Cloud Armor stops applying the action in the
automatically deployed rule to an identified attacker after this duration.
The rule continues to operate against new requests.
- Default value:
7200
- Default value:
You can use the following example command to update a security policy to use
non-default sensitivity parameters. Replace NAME
with
the name of your security policy, and replace the remaining variables with the
values that you want for your policy.
gcloud beta compute security-policies update NAME [ --layer7-ddos-defense-auto-deploy-load-threshold LOAD_THRESHOLD --layer7-ddos-defense-auto-deploy-confidence-threshold CONFIDENCE_THRESHOLD --layer7-ddos-defense-auto-deploy-impacted-baseline-threshold IMPACTED_BASELINE_THRESHOLD --layer7-ddos-defense-auto-deploy-expiration-sec EXPIRATION_SEC ]
Limitations
- Configuration parameters, including sensitivity, cannot be configured by using the Google Cloud console.
- We recommend that you do not use automatic rule deployment when using upstream proxies.
- Adaptive Protection is only available for backend security policies attached to backend services that are exposed through an external HTTP(S) load balancer. Adaptive Protection is not available for external SSL proxy load balancers or external TCP proxy load balancers.