Configuring Google Cloud Armor Security Policies

Use these instructions to enable IP allow list/deny list for HTTP(S) Load Balancing by creating Google Cloud Armor security policies. For conceptual information about Google Cloud Armor security policies, see Google Cloud Armor Security Policy Concepts.

For information about configuring Google Cloud Armor on Google Kubernetes Engine, see Configuring Google Cloud Armor.

IAM permissions for Google Cloud Armor security policies

The following operations require the role Security Admin (roles/compute.securityAdmin):

  • Creating, modifying, updating, and deleting a Google Cloud Armor security policy
  • API methods allowed:
    • SecurityPolicies insert
    • SecurityPolicies delete
    • SecurityPolicies patch
    • SecurityPolicies addRule
    • SecurityPolicies patchRule
    • SecurityPolicies removeRule

A user with the Network Admin role (roles/compute.networkAdmin) can perform the following operations:

  • Setting a Google Cloud Armor security policy for a backend service
  • API methods allowed:
    • BackendServices setSecurityPolicy

Users with the roles Security Admin and Network Admin can view Google Cloud Armor security policies using the API methods SecurityPolicies get, list, and getRule.

IAM permissions for custom roles

The following table lists the base IAM roles' base permissions and their associated API methods.

IAM Permission API Methods
compute.securityPolicies.create SecurityPolicies insert
compute.securityPolicies.delete SecurityPolicies delete
compute.securityPolicies.get SecurityPolicies get
SecurityPolicies getRule
compute.securityPolicies.list SecurityPolicies list
compute.securityPolicies.use BackendServices setSecurityPolicy
compute.securityPolicies.update SecurityPolicies patch
SecurityPolicies addRule
SecurityPolicies patchRule
SecurityPolicies removeRule
compute.backendServices.setSecurityPolicy BackendServices setSecurityPolicy

Enabling IP allow list/deny list for HTTP(S) Load Balancing

At a high level, these are the steps for configuring Google Cloud Armor security policies to enable IP allow list/deny list for HTTP(S) Load Balancing.

  1. Create a Google Cloud Armor security policy.
  2. Add deny list and allow list rules to the policy.
  3. Attach the Google Cloud Armor security policy to a backend service of the HTTP(S) load balancer for which you want to control access.
  4. Update the Google Cloud Armor security policy as needed.

In the following example, you create two Google Cloud Armor security policies and apply them to different backend services.

Example in which two Google Cloud Armor security policies are applied to different Backend Services
Example in which two Google Cloud Armor security policies are applied to different backend services (click to enlarge)

In the example, these are the Google Cloud Armor security policies:

  • mobile-clients-policy applies to external users of your games services
  • internal-users-policy applies to your organization's test-network team

You apply mobile-clients-policy to the games service, whose backend service is called games, and you apply internal-users-policy to the internal test service for the testing team, whose corresponding backend service is called test-network.

If the backend instances for a backend service are in multiple regions, then the Google Cloud Armor security policy associated with the service is applicable to instances in all regions. In the example above, the Google Cloud Armor security policy mobile-clients-policy is applicable to instances 1, 2, 3, and 4 in us-central and to instances 5 and 6 in us-east.

Creating the example

Use these instructions to create the example discussed in the previous section.

Console


To create the example configuration, follow these steps:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type mobile-client-policy.
  4. In the Description field, type policy for external users.
  5. Click Deny.
  6. Click Next step.
  7. Click Add rule.
  8. In the Description field, type b=Block traffic from 192.0.2.0/24.
  9. In the Match field, type 192.0.2.0/24.
  10. Click Deny.
  11. Check Enable.
  12. In the Priority field, type 1000.
  13. Click Done.
  14. Click Next step.
  15. Click Add target.
  16. Select a Target from the drop-down list.
  17. Click Done.
  18. Click Create policy.
  19. In the Name field, type internal-users-policy.
  20. In the Description field, type Policy for internal test users.
  21. Click Deny.
  22. Click Next step.
  23. Click Add rule.
  24. In the Description field, type Block traffic from 198.51.100.0/24.
  25. In the Match field, type 198.51.100.0/24.
  26. Click Deny.
  27. Check Enable.
  28. In the Priority field, type 1000.
  29. Click Done.
  30. Click Next step.
  31. Click Add target.
  32. Select a Target from the drop-down list.
  33. Click Done.
  34. Click Create policy. You see the Security policies page in the Console.

gcloud


  1. Create the Google Cloud Armor security policies.

    gcloud compute security-policies create mobile-clients-policy \
        --description "policy for external users"
    
    gcloud compute security-policies create internal-users-policy \
        --description "policy for internal test users"
    
  2. Add deny list and allow list rules to the Google Cloud Armor security policies.

    gcloud compute security-policies rules create 1000 \
        --security-policy mobile-clients-policy \
        --description "deny traffic from 192.0.2.0/24" \
        --src-ip-ranges "192.0.2.0/24" \
        --action "deny-404"
    
     gcloud compute security-policies rules create 999 \
        --security-policy internal-users-policy \
        --description "deny traffic from 198.51.100.0/24" \
        --src-ip-ranges "198.51.100.0/24" \
        --action "deny-502"
    
  3. Attach the Google Cloud Armor security policies to the backend services.

     gcloud compute backend-services update games \
        --security-policy mobile-clients-policy
    
     gcloud compute backend-services update test-network \
         --security-policy internal-users-policy
    

Creating Google Cloud Armor security policies and rules

You can create Google Cloud Armor security policies and rules using the Console, the gcloud command line tool, or the REST API.

Console


To create Google Cloud Armor security policies and rules and attach the Google Cloud Armor security policy to a target:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type the name of your policy.
  4. Optionally, type a description of the policy.
  5. Click Allow for a default rule that permits access or Deny for a default rule that forbids access to an IP address or IP address range.
  6. If you are creating a Deny rule, choose the Deny status. This is the error message that will be displayed if a user without access tries to gain access.
  7. Regardless of the type of rule you are creating, click Next step.
  8. Optionally, type in a Description of the rule.
  9. In the Match field, type in from one (1) to five (5) IP address ranges to match in the rule.
  10. Click Allow or Deny, depending on the type of rule you are creating.
  11. To enable the rule, check Enable. Otherwise, you can see a preview of how the rule behaves, but the rule is not enabled.
  12. Type the rule's Priority. This can be any positive integer from 0 to 2,147,483,647, with 0 being the highest priority.
  13. Click Done.
  14. To add more rules, click Add rule and repeat the steps above. Otherwise, click Next step.
  15. Click Add target.
  16. Select a Target from the drop-down list.
  17. To add more targets, click Add target.
  18. Click Done.
  19. Click Create policy.

gcloud


To create a new Google Cloud Armor security policy, use the command gcloud compute security-policies create, where NAME is the name of the Google Cloud Armor security policy.

gcloud compute security-policies create [NAME] \
    [--file-format=[FILE_FORMAT] | --description=[DESCRIPTION]] \
    [--file-name=[FILE_NAME]]

For example:

gcloud compute security-policies create my-policy \
   --description="block bad traffic"

To add rules to a Google Cloud Armor security policy, use the command gcloud compute security-policies rules create PRIORITY where PRIORITY is the priority assigned to the rule in the policy. For information on how rule priority works, see About Google Cloud Armor security policies

gcloud compute security-policies rules create [PRIORITY]  \
   --src-ip-ranges=[IP_RANGE,...] \
   --action=[ allow | deny-403 | deny-404 | deny-502 ]  \
   [--security-policy=[POLICY_NAME]] \
   [--description=[DESCRIPTION]] \
   [--preview]

The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and it is a rule in a policy called my-policy.

gcloud compute security-policies rules create 1000 \
   --src-ip-ranges="192.0.2.0/24","198.51.100.0/24" \
   --action="deny-403" \
   --security-policy=my-policy \
   --description="block traffic from 192.0.2.0/24 and 198.51.100.0/24"

With the --preview flag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged. The action applied will still be from the highest priority rule that matches the traffic and is not in preview mode.

gcloud beta compute security-policies rules create 1000 \
   --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
   --action "deny-403" \
   --security-policy my-policy \
   --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
   --preview

Listing Google Cloud Armor security policies

Use these instructions to list Google Cloud Armor security policies.

Console


  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page and a list of policies.

  2. To view a particular policy, click its name.

gcloud


To list all configured Google Cloud Armor security policies:

$ gcloud compute security-policies list

For example:

gcloud compute security-policies list
NAME
my-policy

For complete information, see gcloud compute security-policies list

Updating Google Cloud Armor security policies

Use these instructions when you need to update a Google Cloud Armor security policy.

Console


To update a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page and a list of policies.
  2. Click the three-dot menu corresponding to the policy you want to update.
  3. To update the policy description of the default rule action, select Edit, make the desired changes, and click Update.
  4. To add a rule, select Add rule, then follow the instructions above for adding a rule to a policy from the Console.
  5. To change the target backend service for the Google Cloud Armor security policy, select Apply policy to target, then add a new target and click Add.

gcloud


To update a Google Cloud Armor security policy with the gcloud command line tool, use the instructions for gcloud compute security-policies rules update, gcloud compute security-policies rules create, and gcloud compute security-policies rules delete.

Exporting Google Cloud Armor security policies

You can export a Google Cloud Armor security policy as a YAML or JSON file using the gcloud command line tool.

gcloud


In the following command, NAME is the name of the Google Cloud Armor security policy. Valid file formats are YAML and JSON. If you do not provide the file format, the correct format is assumed based on the file structure. If the structure is invalid or does not match YAML or JSON, you see an error.

gcloud compute security-policies export NAME \
    --file-name [FILE_NAME]  \
    --file-format [FILE_FORMAT]

For example:

gcloud compute security-policies export my-policy \
     --file-name=my-file \
     --file-format=yaml

After you modify the exported file, import it back to GCP using the import command.

Importing Google Cloud Armor security policies

You can import Google Cloud Armor security policies from a YAML or JSON file using the gcloud command line tool. Note that you cannot use the import command to update a policy's rules. Use the gcloud compute security-policies rules command instead.

gcloud


To import Google Cloud Armor security policies, use gcloud compute security-policies import NAME, where NAME is the name of the Google Cloud Armor security policy you are importing.

gcloud compute security-policies import NAME \
   --file-name=[FILE_NAME] \
  [--file-format=[FILE_FORMAT]]

For example, the following command updates the policy my-policy by importing the file my-file.

gcloud compute security-policies import my-policy \
    --file-name=my-file \
    --file-format=json

If the policy's fingerprint is out of date when you import it, an error is thrown. To fix this, use the describe command on the policy to get the latest fingerprint, then replace the outdated one with the current fingerprint.

Deleting Google Cloud Armor security policies

Use these instructions to delete a Google Cloud Armor security policy.

Console


To delete a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Next to the name of the Google Cloud Armor security policy you want to delete, select the checkbox.
  3. In the upper-right-hand corner of the display, click the Delete icon.

gcloud


Use gcloud compute security-policies delete [POLICY_NAME] to delete a security policy, where POLICY_NAME is the name of the Google Cloud Armor Security Policy.

gcloud compute security-policies delete NAME

Attaching a Google Cloud Armor security policy to a backend service

Use these instructions to attach a Google Cloud Armor security policy to a backend service. A Google Cloud Armor security policy can be attached to more than one backend service, but a backend service can have only one Google Cloud Armor security policy attached to it.

Console


To attach a policy to a backend service:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Click Apply policy to new target.
  5. Click Add Target.
  6. Click Select a target.
  7. Select the target.
  8. Click Add.

gcloud


Use the gcloud compute backend-services command to attach a security policy to a backend service.

gcloud compute backend-services update my-backend \
    --security-policy=my-policy

Removing a Google Cloud Armor security policy from a backend service

Use these instructions to remove a Google Cloud Armor security policy from a backend service.

Console


To remove a policy from a backend service:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Select the target backend service from which you are removing the policy.
  5. Click Remove.
  6. On the confirmation pop-up, click Remove.

gcloud


To remove a Google Cloud Armor security policy from the backend service my-backend:

gcloud compute backend-services update my-backend \
   --security-policy=""

Adding rules to a Google Cloud Armor security policy

Use these instructions to add rules to a Google Cloud Armor security policy.

Console


To add rules to a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click Add rule.
  4. Optionally, type a description of the rule.
  5. In the Match field, type in the IP addresses or range.
  6. In the Action section, select Allow or Deny.
  7. If you are creating a Deny rule, choose the Deny status.
  8. If you want to enable preview mode for the rule, check Enable.
  9. In the Priority field, type in a positive integer.
  10. Click Add.

gcloud


To add rules to a Google Cloud Armor security policy, use the command gcloud compute security-policies rules create [PRIORITY] where PRIORITY is the priority of the rule in the policy.

gcloud beta compute security-policies rules create PRIORITY \
   --security-policy=[POLICY_NAME}  \
   --description=[DESCRIPTION]      \
   --src-ip-ranges=[IP_RANGES]      \
   --action=[ allow | deny-403 | deny-404 | deny-502 ]   \
   --preview

The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and is a rule in a policy called my-policy.

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
   --action "deny-403"
   --description="block traffic from 192.0.2.0/24 and 198.51.100.0/24" \

Listing the rules in a Google Cloud Armor security policy

Use these instructions to list the rules in a Google Cloud Armor security policy.

Console


To list the rules in a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed and the policy rules are listed in the middle of the page.

gcloud


Use the following gcloud command to list all rules in a single security policy along with a description of the policy.

gcloud compute security-policies describe [NAME] \

Use the following gcloud command to describe a rule with the specified priority in the specified Google Cloud Armor security policy.

gcloud compute security-policies rules describe [PRIORITY] \
    --security-policy=[POLICY_NAME]

For example, the following command describes the rule with priority 1000 in the Google Cloud Armor security policy my-policy:

gcloud compute security-policies rules describe 1000 \
    --security-policy=my-policy

action: deny(403)
description: block traffic from 192.0.2.0/24 and 198.51.100.0/24
kind: compute#securityPolicyRule
match:
  srcIpRanges:

  • '192.0.2.0/24'
  • '198.51.100.0/24' preview: false priority: 1000

Updating rules

Use these instructions to update the rules in a Google Cloud Armor security policy.

Console


To update the rules in a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the pencil icon next to the rule. The Edit rule page is displayed.
  4. Make the desired changes and click Update.

gcloud


Use this command to update a rule with the specified priority in a designated Google Cloud Armor security policy. You can only update one Google Cloud Armor security policy at a time using this command.

gcloud compute security-policies rules update [PRIORITY] [ \
   --security-policy [POLICY_NAME]  \
   --src-ip-ranges [IP_RANGES]  \
   --action=[ allow | deny-403 |deny-404 | deny-502 ]  \
   --description [DESCRIPTION]  \
   --preview
  ]
  

For example, the following command updates a rule with priority 1111 to allow traffic from the IP address range 192.0.2.0/24.

gcloud compute security-policies rules update 1111 \
   --security-policy my-policy \
   --description "allow traffic from 192.0.2.0/24" \
   --src-ip-ranges "192.0.2.0/24" \
   --action "allow"

For more information about this command, see gcloud compute security-policies rules update

To update all rules in a Google Cloud Armor security policy atomically, you can define a new policy in a JSON or YAML file, then import the file. This creates a new security policy. You can then switch the Google Cloud Armor security policy for the relevant backend service to the new policy using the gcloud command backend-services update.

Deleting rules

Use these instructions to delete rules from a Google Cloud Armor security policy.

Console


To delete a rule from a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, select the checkbox next to the rule you want to delete.
  4. Click the Delete button.

gcloud


Use this command to remove a rule with the specified priority from a designated Google Cloud Armor security policy. You can modify only one security policy at a time, but you can delete multiple rules at once.

gcloud compute security-policies rules delete PRIORITY [...] [
   --security-policy [POLICY_NAME] \
  ]

For example:

gcloud compute security-policies rules delete 1000 \
   --security-policy my-policy

Viewing logs

You can view logs only on the Console.

Console


To view the logs for a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor Security Policies page.
  2. Click the three-dot menu corresponding to the policy whose logs you want to see.
  3. Select View logs.

Troubleshooting

Use these instructions to troubleshoot issues with your Google Cloud Armor security policies.

Traffic is allowed despite a Deny rule configured in the Google Cloud Armor security policy

  1. Make sure that the Google Cloud Armor security policy is attached to a target backend service. For example, the following command describes all data associated with the backend service my-backend. The results returned should include the name of the Google Cloud Armor security policy associated with this backend service.

    gcloud compute backend-services describe my-backend
    
  2. Review the Stackdriver HTTP(S) logs to determine which policy and rule were matched for your traffic along with the associated action. Use the Stackdriver Logs Viewer to view the logs.

    Here is a sample log of an allowed request with the interesting fields boldfaced. Check for the following fields and make sure they match the rule you configured to deny the traffic:

    • configuredAction should match the action configured in the rule
    • outcome should match configuredAction above
    • priority should match the priority number of the rule
    • name should match the name of the Google Cloud Armor security policy attached to this backend service
    httpRequest:
     remoteIp: 104.133.0.95
     requestMethod: GET
     requestSize: '801'
     requestUrl: http://74.125.67.38/
     responseSize: '246'
     serverIp: 10.132.0.4
     status: 200
     userAgent: curl/7.35.0
       insertId: ajvis5ev4i60
       internalId:
         projectNumber: '895280006100'
       jsonPayload:
         '@type': type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry
         **enforcedSecurityPolicy:
           configuredAction: ACCEPT
           name: mydev-policy-log-test1
           outcome: ACCEPT
           priority: 2147483647**
         statusDetails: response_sent_by_backend
       logName: projects/mydev-staging/logs/requests
       resource:
         labels:
           backend_service_name: ''
           forwarding_rule_name: mydev-forwarding-rule
           project_id: mydev-staging
           target_proxy_name: mydev-target-http-proxy
           url_map_name: mydev-url-map
           zone: global
         type: http_load_balancer
       severity: INFO
       timestamp: '2017-04-18T18:57:05.845960288Z'
    
  3. Review the hierarchy of rules to ensure that the correct rule is matched. It is possible that a higher priority rule with an allow action is matching your traffic. Use the describe command on the security-policies in gCloud to see the contents of the Google Cloud Armor security policy.

    The following example shows how a higher-priority allow rule (at priority 100) matches traffic coming from the 1.2.3.4/32 IP address, preventing the lower-priority (at priority 200) deny rule from triggering and blocking the traffic.

    CIDR notation is required (in this example, 1.2.3.4/32). If you omit the CIDR prefix (the /32), the rule does not match the IP address.

gcloud compute security-policies describe my-policy
creationTimestamp: '2017-04-18T14:47:58.045-07:00
description: ''
fingerprint: Yu5spBjdoC0=
id: '2560355463394441057'
kind: compute#securityPolicy
name: my-policy
rules:
- action: allow
  description: allow high priority rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '1.2.3.4/32'
  preview: false
  priority: 100
- action: deny
  description: deny lower priority rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '1.2.3.0/24
  preview: false
  priority: 200
- action: deny
  description: default rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '*'
  preview: false
  priority: 2147483647
  selfLink: http://www.googleapis.com/compute/projects/my-project-devconsole/global/securityPolicies/sp

Added rule is not visible in a security policy

If a rule you added is not visible in a security policy, check the number of rules for all security policies in your project, to ensure that you have not exceeded the rules quota.

  1. List all of the security policy configured for the project. For example:

    gcloud compute security-policies list
    
    NAME
    my-policy-1
    my-policy-2
    my-policy-3
    
  2. For each security policy returned by the previous command, list the rules.

    gcloud compute security-policies describe my-policy
    

    creationTimestamp: '2017-04-18T14:47:58.045-07:00'
    description: ''
    fingerprint: Yu5spBjdoC0=
    id: '2560355463394441057'
    kind: compute#securityPolicy
    name: my-policy
    rules:

    • action: allow description: default rule kind: compute#securityPolicyRule match: srcIpRanges:
      • '*' preview: false priority: 2147483647 selfLink: http://www.googleapis.com/compute/v1/projects/bigclustertestdev0-devconsole/global/securityPolicies/sp
  3. Repeat step 2 for each security policy listed in step 1.

Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Google Cloud Armor Documentation