Automatically deploy Adaptive Protection suggested rules

This document provides configuration steps for automatically deploying the suggested rules that Adaptive Protection generates. To enable automatic rule deployment, you must create a placeholder rule with the following values:

Match expression: evaluateAdaptiveProtectionAutoDeploy()
Action: Any
Priority: Any. We recommend that you set an explicit allow rule at a higher priority than your other rules for high-priority, legitimate traffic.

If you use an upstream proxy in front of your external Application Load Balancer, such as a third-party CDN, you can configure the placeholder rule to match requests based on the original client's IP address from a specified header or headers. To use this preview feature, configure the userIpRequestHeaders[] option in the advancedOptionsConfig field. For more information, see the ComputeSecurityPolicy resource reference.

Example placeholder rules

The following commands are example placeholder rules for security policies called POLICY_NAME, each of which features a different rule action. You can add these rules to an existing security policy or create a new policy. For more information about creating security policies, see Configure Google Cloud Armor security policies.

Block malicious traffic

This example rule evaluates to true for requests that Adaptive Protection identifies as attack traffic. Google Cloud Armor applies the blocking action to the attacking request:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action deny-403

Redirect malicious traffic to a reCAPTCHA challenge

This example rule redirects traffic that Adaptive Protection identifies as malicious to a reCAPTCHA challenge:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action redirect \
    --redirect-type google-recaptcha

Rate limit malicious traffic

This example applies Google Cloud Armor rate limiting to traffic that Adaptive Protection identifies as malicious:

gcloud compute security-policies rules create 1000 \
    --security-policy POLICY_NAME \
    --expression "evaluateAdaptiveProtectionAutoDeploy()" \
    --action throttle \
    --rate-limit-threshold-count 500 \
    --rate-limit-threshold-interval-sec 120 \
    --conform-action allow \
    --exceed-action deny-404 \
    --enforce-on-key ip

Configure Adaptive Protection auto-deploy parameters

You can configure the thresholds for automatic deployment of rules by tuning the following parameters. If you don't set the value for a parameter, Google Cloud Armor uses the default value.

Load threshold: during an alerted attack, Adaptive Protection identifies new attackers only when the load to the backend service that is under attack exceeds this threshold. In addition, rules are only automatically deployed for alerts when the load to the backend service that is under attack exceeds this threshold.
- Default value: 0.8
  Caution: Setting the load threshold field has no effect on serverless backends. The load threshold value isn't used for detecting an attack nor for triggering auto-deployment for backend services that are configured with the following network endpoint groups (NEGs):
  - A serverless NEG sending traffic to App Engine, Cloud Run, or Cloud Run functions.
  - An internet NEG sending traffic to an external origin.
Confidence threshold: rules are only automatically deployed for alerts on potential attacks with confidence scores greater than this threshold.
- Default value: 0.5
Impacted baseline threshold: rules are only automatically deployed when the estimated impact to baseline traffic from the suggested mitigation is below this threshold.
- Default value: 0.01 percent (0.01%, not 1%)
Expiration set: Google Cloud Armor stops applying the action in the automatically deployed rule to an identified attacker after this duration. The rule continues to operate against new requests.
- Default value: 7200 seconds

You can use the following example command to update your security policy to use non-default, automatically deployed thresholds. Replace NAME with the name of your security policy, and replace the remaining variables with the values that you want for your policy.

gcloud beta compute security-policies update NAME [
    --layer7-ddos-defense-auto-deploy-load-threshold LOAD_THRESHOLD
    --layer7-ddos-defense-auto-deploy-confidence-threshold CONFIDENCE_THRESHOLD
    --layer7-ddos-defense-auto-deploy-impacted-baseline-threshold IMPACTED_BASELINE_THRESHOLD
    --layer7-ddos-defense-auto-deploy-expiration-sec EXPIRATION_SEC
]

Logging

Logs generated by rules automatically deployed with Adaptive Protection have the following additional fields:

autoDeployed: after you configure automatic rule deployment, each alert log that Adaptive Protection generates has the boolean field autoDeployed, which indicates whether an automatic defense was triggered.
adaptiveProtection.autoDeployAlertId: whenever Adaptive Protection takes an action on a request as part of an automatic defense, the request log has the additional adaptiveProtection.autoDeployAlertId field, which records the alert ID. This field appears under enforcedSecurityPolicy or previewSecurityPolicy, depending on whether the security policy is in preview mode.

To view request logs, see Use request logging. The following screenshot shows an example of an Adaptive Protection log entry, with the autoDeployed and adaptiveProtection.autoDeployAlertId fields.

An Adaptive Protection example log. — An Adaptive Protection example log (click to enlarge).

Limitations

Adaptive Protection is only available for backend security policies attached to backend services that are exposed through an external Application Load Balancer. Adaptive Protection is not available for external proxy Network Load Balancers.