Google Cloud Armor named IP address lists

Google Cloud Armor named IP address lists enable you to reference lists of IP addresses and IP ranges that are maintained by third-party providers. These lists are easy to configure within a security policy. You do not have to manually specify each IP address or range individually.

In this document, the terms IP address and IP address list include IP address ranges.

Overview

Named IP address lists are lists of IP addresses grouped under different names. The name typically refers to the provider. Named IP address lists are not subject to the quota limit on the number of IP addresses per rule.

Named IP address lists are not security policies. You incorporate them into a security policy by referencing them as expressions the same way that you reference a pre-configured rule. For example, if a third-party provider has an IP address list of {ip1, ip2, ip3....ipN} under the name provider-a, you can create a security rule that allows all IP addresses that are in the list provider-a and excludes IP addresses that are not on that list:

gcloud beta compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredExpr('provider-a')" \
    --action "allow"
        

Allowing traffic only from permitted third-party providers

A typical use case is to create an allow list containing the IP addresses of a permitted third-party partner to ensure that only traffic coming from this partner can access the load balancer and the backends.

For example, CDN providers need to pull content from origin servers at regular intervals to distribute them to their own caches. A partnership with Google provides a direct connection between CDN providers and the Google network edge. CDN users on Google Cloud can use this direct connection during origin pulls. In this case, the CDN user might want to build a security policy that only allows traffic coming from that particular CDN provider.

In this example, a CDN provider publishes its IP address list 23.235.32.0/20, 43.249.72.0/22, ⋯, and a CDN user configures a security rule that only allows traffic coming from these IP addresses. As a result, two CDN provider access points are allowed (23.235.32.10 and 43.249.72.10), and their traffic is therefore permitted. Traffic from the unauthorized access point 198.51.100.1 is blocked.

Google Cloud Armor named IP address
Google Cloud Armor named IP address (click to enlarge)

Simplifying configuration and management by using pre-configured rules

CDN providers often use IP addresses that are well-known and that many CDN users need to use. These lists change over time, as providers add, remove, and update the IP addresses.

Using a named IP address list in a security policy rule simplifies the process of configuring and managing IP address, because Google Cloud Armor automatically synchronizes information from CDN providers on a daily basis. This eliminates the time-consuming and error-prone process of maintaining a large IP address list manually.

This is an example of a pre-configured rule that allows all traffic from a provider:

evaluatePreconfiguredExpr('provider-a') => allow traffic

IP list providers

The IP list providers in the following table are supported for Google Cloud Armor. These are CDN providers that have partnered with Google. Their IP lists are published through individual public URLs.

These partners provide separate lists of IPv4 addresses and IPv6 addresses. Google Cloud Armor fetches lists using the provided URLs, and converts the lists into named IP address lists. You refer to the lists by the names in the table.

For example, the following creates a rule in the security policy my-policy with priority 750, incorporating the named IP list from Cloudflare and allowing access from those IP addresses:

gcloud beta compute security-policies rules create 750 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredExpr('sourceiplist-cloudflare')" \
    --action "allow"
Provider URL(s) IP list name
Fastly https://api.fastly.com/public-ip-list sourceiplist-fastly
Cloudflare https://www.cloudflare.com/ips-v4

https://www.cloudflare.com/ips-v6
sourceiplist-cloudflare
Imperva https://my.imperva.com/api/integration/v1/ips
Note that access to Imperva's list requires a POST request. You can use this command as well:
curl -d "" https://my.imperva.com/api/integration/v1/ips
sourceiplist-imperva

IP list synchronization

Google Cloud Armor synchronizes IP address lists with each provider only when it detects changes that are in a valid format. Google Cloud Armor performs basic syntax validation on the IP addresses in all lists.

What's next