Configuring Google Cloud Armor security policies

Use these instructions to filter incoming traffic to HTTP(S) Load Balancing by creating Google Cloud Armor security policies. For conceptual information about Google Cloud Armor security policies, see Google Cloud Armor security policy Concepts.

For information about configuring Google Cloud Armor on GKE, see Configuring Google Cloud Armor.

IAM permissions for Google Cloud Armor security policies

The following operations require the role Security Admin (roles/compute.securityAdmin):

  • Creating, modifying, updating, and deleting a Google Cloud Armor security policy
  • API methods allowed:
    • SecurityPolicies insert
    • SecurityPolicies delete
    • SecurityPolicies patch
    • SecurityPolicies addRule
    • SecurityPolicies patchRule
    • SecurityPolicies removeRule

A user with the Network Admin role (roles/compute.networkAdmin) can perform the following operations:

  • Setting a Google Cloud Armor security policy for a backend service
  • API methods allowed:
    • BackendServices setSecurityPolicy

Users with the roles Security Admin and Network Admin can view Google Cloud Armor security policies using the API methods SecurityPolicies get, list, and getRule.

IAM permissions for custom roles

The following table lists the base IAM roles' base permissions and their associated API methods.

IAM Permission API Methods
compute.securityPolicies.create SecurityPolicies insert
compute.securityPolicies.delete SecurityPolicies delete
compute.securityPolicies.get SecurityPolicies get
SecurityPolicies getRule
compute.securityPolicies.list SecurityPolicies list
compute.securityPolicies.use BackendServices setSecurityPolicy
compute.securityPolicies.update SecurityPolicies patch
SecurityPolicies addRule
SecurityPolicies patchRule
SecurityPolicies removeRule
compute.backendServices.setSecurityPolicy BackendServices setSecurityPolicy

Configuring Google Cloud Armor Security Policies for HTTP(S) Load Balancing

At a high level, these are the steps for configuring Google Cloud Armor Security Policies to enable rules that allow or deny traffic to HTTP(S) Load Balancing.

  1. Create a Google Cloud Armor Security Policy.
  2. Add rules to the policy based on IP lists, custom expressions, or preconfigured expression sets.
  3. Attach the Google Cloud Armor security policy to a backend service of the HTTP(S) load balancer for which you want to control access.
  4. Update the Google Cloud Armor security policy as needed.

In the following example, you create two Google Cloud Armor Security Policies and apply them to different backend services.

Example in which two Google Cloud Armor security policies are applied to different backend services
Example in which two Google Cloud Armor security policies are applied to different backend services (click to enlarge)

In the example, these are the Google Cloud Armor security policies:

  • mobile-clients-policy applies to external users of your games services
  • internal-users-policy applies to your organization's test-network team

You apply mobile-clients-policy to the games service, whose backend service is called games, and you apply internal-users-policy to the internal test service for the testing team, whose corresponding backend service is called test-network.

If the backend instances for a backend service are in multiple regions, then the Google Cloud Armor security policy associated with the service is applicable to instances in all regions. In the example above, the Google Cloud Armor security policy mobile-clients-policy is applicable to instances 1, 2, 3, and 4 in us-central and to instances 5 and 6 in us-east.

Note that Google Cloud Armor is not supported with Cloud CDN. If you try to associate a Google Cloud Armor security policy for a backend service and Cloud CDN is enabled, the configuration is rejected.

Creating the example

Use these instructions to create the example discussed in the previous section.

Console


To create the example configuration, follow these steps:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type mobile-client-policy.
  4. In the Description field, type policy for external users.
  5. Click Deny.
  6. Click Next step.
  7. Click Add rule.
  8. In the Description field, type allow traffic from 192.0.2.0/24.
  9. For the Mode, select Basic mode (IP addresses/ranges only).
  10. In the Match field, type 192.0.2.0/24.
  11. For the Action, select Allow.
  12. In the Priority field, type 1000.
  13. Click Done.
  14. Click Next step.
  15. Click Add target.
  16. Select a Target from the drop-down list.
  17. Click Done.
  18. Click Create policy. You see the Security policies page in the Console.
  19. In the Name field, type internal-users-policy.
  20. In the Description field, type Policy for internal test users.
  21. Click Deny.
  22. Click Next step.
  23. Click Add rule.
  24. In the Description field, type allow traffic from 198.51.100.0/24.
  25. For the Mode, select Basic mode (IP addresses/ranges only).
  26. In the Match field, type 198.51.100.0/24.
  27. For the Action, select Allow.
  28. Check Enable.
  29. In the Priority field, type 1000.
  30. Click Done.
  31. Click Next step.
  32. Click Add target.
  33. Select a Target from the drop-down list.
  34. Click Done.
  35. Click Create policy. You see the Security policies page in the Console.

gcloud


  1. Create the Google Cloud Armor security policies.

    gcloud compute security-policies create mobile-clients-policy \
        --description "policy for external users"
    
    gcloud compute security-policies create internal-users-policy \
        --description "policy for internal test users"
    
  2. Update the default rules to the Google Cloud Armor security policies to deny traffic.

    gcloud compute security-policies rules update 2147483647 \
        --security-policy mobile-clients-policy \
        --action "deny-404"
    
    gcloud compute security-policies rules update 2147483647 \
        --security-policy internal-users-policy \
        --action "deny-502"
    
  3. Add rules to the Google Cloud Armor security policies.

    gcloud compute security-policies rules create 1000 \
        --security-policy mobile-clients-policy \
        --description "allow traffic from 192.0.2.0/24" \
        --src-ip-ranges "192.0.2.0/24" \
        --action "allow"
    
    gcloud compute security-policies rules create 1000 \
        --security-policy internal-users-policy \
        --description "allow traffic from 198.51.100.0/24" \
        --src-ip-ranges "198.51.100.0/24" \
        --action "allow"
    
  4. Attach the Google Cloud Armor security policies to the backend services.

    gcloud compute backend-services update games \
        --security-policy mobile-clients-policy
    
    gcloud compute backend-services update test-network \
        --security-policy internal-users-policy
    

Configuring Google Cloud Armor for GKE

You can configure Google Cloud Armor security policies forGKE using the following high-level procedure.

  1. Configure a Google Cloud Armor security policy with rules using the REST API or gcloud command line tool.
  2. Create an Ingress resource in GKE.
  3. Determine which backend services are associated with the Ingress resource.

    1. Retrieve the configuration of the Ingress resource:

      kubectl describe ingress [INGRESS_NAME]
      
    2. Note the values in the backends field of the "Annotations" section of the output. These are the names of the backend services used.

  4. Using the REST API or gcloud command line tool, attach the Google Cloud Armor security policy to each of the backends noted in the previous step.

If a Kubernetes Ingress resource is deleted and then recreated, the security policy must be reapplied to the new backend service or services.

For more information see Configuring Google Cloud Armor through Ingress

Creating Google Cloud Armor security policies, rules, and expressions

You can create Google Cloud Armor security policies, rules and expressions using the Google Cloud Platform Console, the gcloud command line tool, or the REST API.

The following are sample expressions. For more information on expressions, see the Google Cloud Armor rules language.

  • The following expression matches against requests from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

    inIpRange(origin.ip, '1.2.3.4/32') && \
    request.headers['user-agent'].contains('Godzilla')
    
  • The following expression matches against requests that have a cookie with a specific value:

    request.headers['cookie'].contains('cookie_name=cookie_value')
    
  • The following expression matches against requests from the region AU:

    origin.region_code == 'AU'
    
  • The following expression matches against requests from the region AU and not in the specified IP range:

    request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')
    
  • The following expression matches against requests if the URI matches a regular expression:

    request.path.matches('/bad_path/)')
    
  • The following expression matches against requests if the Base64 decoded value of the user-id header contains a specific value:

    request.headers['user-id'].base64Decode().contains('myValue')
    
  • The following expression uses a preconfigured expression set match against SQLi attacks:

    evaluatePreconfiguredExpr('sqli-canary')
    

Console


To create Google Cloud Armor security policies and rules and attach the Google Cloud Armor security policy to a target:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type the name of your policy.
  4. Optionally, type a description of the policy.
  5. Select Allow for a default rule that permits access or Deny for a default rule that forbids access to an IP address or IP address range.

    The default rule is the lowest priority rule that takes effect only if no other rule applies.

  6. If you are creating a Deny rule, choose the Deny status. This is the error message that Google Cloud Armor displays if a user without access tries to gain access.

  7. Regardless of the type of rule you are creating, click Next step.

  8. Click Add rule to configure additional rules for the security policy.

  9. Optionally, type a Description for the rule.

  10. Select the mode.

    • Basic mode — allow or deny traffic based on IP addresses or ranges.
    • Advanced mode — allow or deny traffic based on rule expressions.
  11. In the Match field, specify the conditions under which the rule applies.

    • Basic mode — type IP address ranges to match in the rule.
    • Advanced mode — type an expression or sub-expressions to evaluate against incoming requests. See the Google Cloud Armor rules language for information about how to write the expressions.
  12. Select Allow or Deny to allow or deny traffic if the rule matches.

  13. To enable preview mode, check Enable. In preview mode, you can see how the rule behaves, but the rule is not enabled.

  14. Type the rule's Priority. This can be any positive integer from 0 to 2,147,483,646 inclusive. For more information about the evaluation order, see Rule priority and evaluation order.

  15. Click Done.

  16. To add more rules, click Add rule and repeat the steps above. Otherwise, click Next step.

  17. Click Add target.

  18. Select a Target from the drop-down list.

  19. To add more targets, click Add target.

  20. Click Done.

  21. Click Create policy.

gcloud


  1. To create a new Google Cloud Armor security policy, use the command gcloud compute security-policies create, where NAME is the name of the Google Cloud Armor security policy.

    gcloud compute security-policies create [NAME] \
        [--file-format=[FILE_FORMAT] | --description=[DESCRIPTION]] \
        [--file-name=[FILE_NAME]]
    

    For example:

    gcloud compute security-policies create my-policy \
       --description "block bad traffic"
    
  2. To add rules to a Google Cloud Armor security policy, use the command gcloud compute security-policies rules create PRIORITY where PRIORITY is the priority assigned to the rule in the policy. For information on how rule priority works, see About Google Cloud Armor Security Policies.

    gcloud compute security-policies rules create [PRIORITY]  \
       [--security-policy [POLICY_NAME]] \
       [--description [DESCRIPTION]] \
       --src-ip-ranges [IP_RANGE,...] | --expression [EXPRESSION] \
       --action=[ allow | deny-403 | deny-404 | deny-502 ]  \
       [--preview]
    

    The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and it is a rule in a policy called my-policy.

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
       --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
       --action "deny-403"
    

    With the --preview flag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged.

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
       --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
       --action "deny-403" \
       --preview
    

    Use the --expression flag to specify a custom condition in the Google Cloud Armor rules language. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "inIpRange(origin.ip, '1.2.3.4/32') && \
         request.headers['user-agent'].contains('Godzilla')" \
       --action allow \
       --description "Block User-Agent 'Godzilla'"
    

    The following command adds a rule to block requests if the request's cookie contains a specific value:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "request.headers['cookie'].contains('cookie_name=cookie_value')" \
       --action "deny-403" \
       --description "Cookie Block"
    

    The following command adds a rule to block requests from the region AU:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "origin.region_code == 'AU'" \
       --action "deny-403" \
       --description "AU block"
    

    The following command adds a rule to block requests from the region AU and not in the specified IP range:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \
       --action "deny-403" \
       --description "country and IP block"
    

    The following command adds a rule to block requests with a URI that matches a regular expression:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "request.path.matches('/bad_path/)')" \
       --action "deny-403" \
       --description "regex block"
    

    The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "request.headers['user-id'].base64Decode().contains('myValue')" \
       --action "deny-403" \
       --description "country and IP block"
    

    The following command adds a rule that uses a preconfigured expression set to mitigate SQLi attacks:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "evaluatePreconfiguredExpr('sqli-canary')" \
       --action "deny-403"
    

Listing the available preconfigured rules

List preconfigured rules to view the predefined application protection rules and signatures such as the ModSecurity Core Rule Set that Google Cloud Armor provides. These preconfigured rules contain multiple built-in signatures that Google Cloud Armor uses to evaluate against incoming requests. You add these preconfigured rules to new or existing rules by using the Google Cloud Armor custom rules language.

For more information, see Preconfigured rules.

gcloud


  1. Run the gcloud beta compute security-policies list-preconfigured-expression-sets command.

    gcloud beta compute security-policies list-preconfigured-expression-sets
    

    The follow example shows the output from the command:

    EXPRESSION_SET
    expression-set-1
       RULE_ID
       expression-set-1-id-1
       expression-set-1-id-2
    expression-set-2
       alias-1
       RULE_ID
       expression-set-2-id-1
       expression-set-2-id-2
    

Listing Google Cloud Armor security policies

Use these instructions to list Google Cloud Armor security policies.

Console


  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Security policies page and a list of policies.

  2. To view a particular policy, click its name.

gcloud


To list all configured Google Cloud Armor security policies:

gcloud compute security-policies list

For example:

gcloud compute security-policies list
NAME
my-policy

For more information, see gcloud compute security-policies list

Updating Google Cloud Armor security policies

Use these instructions to update a Google Cloud Armor Security Policy. For example, you can modify the policy's description, modify the default rule's behavior, change the target backend service, or add new rules.

Console


To update a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page and a list of policies.
  2. Click the three-dot menu corresponding to the policy you want to update.

    1. To update the policy description of the default rule action, select Edit, make the desired changes, and click Update.
    2. To add a rule, select Add rule, then follow the instructions above for adding a rule to a policy from the Console.
    3. To change the target backend service for the Google Cloud Armor security policy, select Apply policy to target, then add a new target and click Add.

gcloud


To update a Google Cloud Armor security policy with the gcloud command line tool, use the following instructions:

Exporting Google Cloud Armor security policies

You can export a Google Cloud Armor security policy as a YAML or JSON file by using the gcloud command line tool. Exporting a policy enables you to retrieve a copy of it that you can modify or save in source control.

gcloud


  1. In the following command, NAME is the name of the Google Cloud Armor security policy. Valid file formats are YAML and JSON. If you do not provide the file format, Google Cloud Armor uses the default YAML.

    gcloud compute security-policies export NAME \
        --file-name [FILE_NAME]  \
        --file-format [FILE_FORMAT]
    

    The following command exports the my-policy security policy to the my-file file in the YAML format:

    gcloud compute security-policies export my-policy \
         --file-name my-file \
         --file-format yaml
     

    The following example shows an exported security policy:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: allow description: default rule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/securityPolicies/my-policy
  2. You can modify the exported file with any text editor, and then import it back to GCP by using the import command.

Importing Google Cloud Armor security policies

You can import Google Cloud Armor security policies from a YAML or JSON file by using the gcloud command line tool. You can't use the import command to update an existing policy's rules. Instead, you must update rules one by one by using the Update rules procedure or all at once by using the Atomically update rules in a Google Cloud Armor Security Policy procedure.

gcloud


To import Google Cloud Armor security policies, use the gcloud compute security-policies import NAME command, where NAME is the name of the Google Cloud Armor security policy you are importing. If you do not provide the file format, the correct format is assumed based on the file structure. If the structure is invalid, you see an error.

gcloud compute security-policies import NAME \
   --file-name [FILE_NAME] \
  [--file-format [FILE_FORMAT]]

For example, the following command updates the policy my-policy by importing the file my-file.

gcloud compute security-policies import my-policy \
    --file-name my-file \
    --file-format json

If the policy's fingerprint is out of date when you import it, Google Cloud Armor shows an error. This means that the policy has been modified since you last exported it. To fix this, use the describe command on the policy to get the latest fingerprint. Merge any differences between the described policy and your policy, and then replace the outdated fingerprint with the latest one.

Deleting Google Cloud Armor security policies

Use these instructions to delete a Google Cloud Armor security policy. You must remove all backend services from the policy before you can delete it.

Console


To delete a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Next to the name of the Google Cloud Armor security policy you want to delete, select the checkbox.
  3. In the upper-right-hand corner of the display, click the Delete icon.

gcloud


Use gcloud compute security-policies delete NAME to delete a security policy, where NAME is the name of the Google Cloud Armor Security Policy.

gcloud compute security-policies delete NAME

Attaching a Google Cloud Armor security policy to a backend service

Use these instructions to attach a Google Cloud Armor security policy to a backend service. A Google Cloud Armor security policy can be attached to more than one backend service, but a backend service can have only one Google Cloud Armor security policy attached to it.

Console


To attach a policy to a backend service:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Click Apply policy to new target.
  5. Click Add Target.
  6. Click Select a target.
  7. Select the target.
  8. Click Add.

gcloud


Use the gcloud compute backend-services command to attach a security policy to a backend service.

gcloud compute backend-services update my-backend \
    --security-policy my-policy

Removing a Google Cloud Armor security policy from a backend service

Use these instructions to remove a Google Cloud Armor security policy from a backend service.

Console


To remove a policy from a backend service:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Select the target backend service from which you are removing the policy.
  5. Click Remove.
  6. On the confirmation pop-up, click Remove.

gcloud


To remove a Google Cloud Armor security policy from the backend service my-backend:

gcloud compute backend-services update my-backend \
   --security-policy ""

Adding rules to a Google Cloud Armor security policy

Use these instructions to add rules to a Google Cloud Armor security policy.

Console


To add rules to a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click Add rule.
  4. Optionally, type a description of the rule.
  5. Select the mode.

    • Basic mode — allow or deny traffic based on IP addresses or ranges.
    • Advanced mode — allow or deny traffic based on rule expressions.
  6. In the Match field, specify the conditions under which the rule applies.

    • Basic mode — type from one (1) to five (5) IP address ranges to match in the rule.
    • Advanced mode — type an expression or sub-expressions to evaluate against incoming requests. See the Google Cloud Armor rules language for information about how to write the expressions and read the following examples:

      • The following expression matches against requests from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

        inIpRange(origin.ip, '1.2.3.4/32') && \
        request.headers['user-agent'].contains('Godzilla')
        
      • The following expression matches against requests that have a cookie with a specific value:

        request.headers['cookie'].contains('cookie_name=cookie_value')
        
      • The following expression matches against requests from the region AU:

        origin.region_code == 'AU'
        
      • The following expression matches against requests from the region AU and not in the specified IP range:

        request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')
        
      • The following expression matches against requests if the URI matches a regular expression:

        request.path.matches('/bad_path/)')
        
      • The following expression matches against requests if the Base64 decoded value of the user-id header contains a specific value:

        request.headers['user-id'].base64Decode().contains('myValue')
        
      • The following expression uses a preconfigured expression set to match against SQLi attacks:

        evaluatePreconfiguredExpr('sqli-canary')
        
  7. In the Action section, select Allow or Deny.

  8. If you are creating a Deny rule, choose the Deny status.

  9. If you want to enable preview mode for the rule, check Enable.

  10. In the Priority field, type in a positive integer.

  11. Click Add.

gcloud


To add rules to a Google Cloud Armor security policy, use the command gcloud beta compute security-policies rules create PRIORITY where PRIORITY is the priority of the rule in the policy.

gcloud beta compute security-policies rules create PRIORITY \
   --security-policy [POLICY_NAME} \
   --description [DESCRIPTION] \
   --src-ip-ranges [IP_RANGES] | --expression [EXPRESSION] \
   --action=[ allow | deny-403 | deny-404 | deny-502 ] \
   --preview

The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and is a rule in a policy called my-policy.

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
   --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
   --action "deny-403"

Use the --expression flag to specify a condition in the Google Cloud Armor rules language. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "inIpRange(origin.ip, '1.2.3.4/32') && \
     request.headers['user-agent'].contains('Godzilla')" \
   --action allow \
   --description "Block User-Agent 'Godzilla'"

The following command adds a rule to block requests if the request's cookie contains a specific value:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.headers['cookie'].contains('80=BLAH')" \
   --action deny \
   --description "Cookie Block"

The following command adds a rule to block requests from the region AU:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "origin.region_code == 'AU'" \
   --action deny \
   --description "AU block"

The following command adds a rule to block requests from the region AU and not in the specified IP range:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')" \
   --action deny \
   --description "country and IP block"

The following command adds a rule to block requests with a URI that matches a regular expression:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.path.matches('/bad_path/)')" \
   --action deny \
   --description "regex block"

The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.headers['user-id'].base64Decode().contains('myValue')" \
   --action deny \
   --description "country and IP block"

The following command adds a rule that uses a preconfigured expression set to mitigate SQLi attacks:

gcloud beta compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "evaluatePreconfiguredExpr('sqli-canary')" \
   --action deny

Listing the rules in a Google Cloud Armor security policy

Use these instructions to list the rules in a Google Cloud Armor security policy.

Console


To list the rules in a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed and the policy rules are listed in the middle of the page.

gcloud


Use the following gcloud command to list all rules in a single security policy along with a description of the policy.

gcloud compute security-policies describe [NAME] \

Use the following gcloud command to describe a rule with the specified priority in the specified Google Cloud Armor security policy.

gcloud compute security-policies rules describe [PRIORITY] \
    --security-policy [POLICY_NAME]

For example, the following command describes the rule with priority 1000 in the Google Cloud Armor security policy my-policy:

gcloud compute security-policies rules describe 1000 \
    --security-policy my-policy

action: deny(403)
description: block traffic from 192.0.2.0/24 and 198.51.100.0/24
kind: compute#securityPolicyRule
match:
  srcIpRanges:

  • '192.0.2.0/24'
  • '198.51.100.0/24' preview: false priority: 1000

Updating a single rule

Use these instructions to update a single rule in a Google Cloud Armor security policy. To atomically update multiple rules, see Atomically update rules in a Google Cloud Armor security policy.

Console


To update a rule:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the pencil icon next to the rule. The Edit rule page is displayed.
  4. Make the desired changes and click Update.

gcloud


Use this command to update a rule with the specified priority in a designated Google Cloud Armor security policy. You can only update one Google Cloud Armor security policy at a time using this command.

gcloud beta compute security-policies rules update [PRIORITY] [ \
   --security-policy [POLICY_NAME]  \
   --description [DESCRIPTION]  \
   --src-ip-ranges [IP_RANGES]  | --expression [EXPRESSION] \
   --action=[ allow | deny-403 | deny-404 | deny-502 ]  \
   --preview
  ]
  

For example, the following command updates a rule with priority 1111 to allow traffic from the IP address range 192.0.2.0/24.

gcloud compute security-policies rules update 1111 \
   --security-policy my-policy \
   --description "allow traffic from 192.0.2.0/24" \
   --src-ip-ranges "192.0.2.0/24" \
   --action "allow"

For more information about this command, see gcloud compute security-policies rules update

To update the priority of a rule, you must use the REST API. See securityPolicies.patchRule for more information.

Atomically updating multiple rules in a Google Cloud Armor security policy

An atomic update applies changes to multiple rules in a single update. If you were to update rules one by one, you might see some unintended behavior because old and new rules might be working together for a short period of time.

To atomically update multiple rules, export the current Google Cloud Armor security policy to a JSON or YAML file, and then modify it. Use the modified file to create a new Google Cloud Armor security policy, and then switch the security policy for the relevant backend services.

gcloud


  1. Export the policy to update, as shown in the following example:

    gcloud compute security-policies export my-policy \
         --file-name my-file \
         --file-format yaml
    

    The exported policy will look similar to the following example:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredExpr('xss-canary') versionedExpr: SRC_IPS_V1 preview: false priority: 1
    • action: allow description: my-rule-2 match: config: srcIpRanges:
      • '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 2
    • action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges:
      • '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/securityPolicies/my-policy
  2. Use any text editor to modify the policy. For example, you can modify the the priorities of the existing rules and add a new rule:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredExpr('xss-canary') versionedExpr: SRC_IPS_V1 preview: false priority: 1
    • action: allow description: my-new-rule match: config: srcIpRanges:
      • '1.2.3.1' versionedExpr: SRC_IPS_V1 preview: false priority: 10
    • action: allow description: my-rule-2 match: config: srcIpRanges:
      • '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 11
    • action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges:
      • '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/securityPolicies/my-policy
  3. Create a new Google Cloud Armor Security Policy and specify the modified file name and format, as shown in the following example:

    gcloud compute security-policies create new-policy \
       --description "allow-listed traffic" \
       --file-name modified-policy \
       --file-format yaml
    
  4. Remove the old security policy from the relevant backend service, as shown in the following example:

    gcloud compute backend-services update my-backend \
       --security-policy ""
    
  5. Add the new security policy to the backend service, as shown in the following example:

    gcloud compute backend-services update my-backend \
        --security-policy new-policy
    
  6. If the old policy is unused, delete it:

    gcloud compute security-policies delete my-policy
    

Deleting rules

Use these instructions to delete rules from a Google Cloud Armor Security Policy.

Console


To delete a rule from a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, select the checkbox next to the rule you want to delete.
  4. Click the Delete button.

gcloud


Use this command to remove a rule with the specified priority from a designated Google Cloud Armor security policy. You can modify only one Google Cloud Armor security policy at a time, but you can delete multiple rules at once.

gcloud compute security-policies rules delete PRIORITY [...] [
   --security-policy [POLICY_NAME] \
  ]

For example:

gcloud compute security-policies rules delete 1000 \
   --security-policy my-policy

Viewing logs

You can view logs only on the Console.

Console


To view the logs for a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Platform Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the three-dot menu corresponding to the policy whose logs you want to see.
  3. Select View logs.

Troubleshooting

Use these instructions to troubleshoot issues with your Google Cloud Armor security policies.

Traffic is allowed despite a Deny rule configured in the Google Cloud Armor security policy

  1. Make sure that the Google Cloud Armor security policy is attached to a target backend service. For example, the following command describes all data associated with the backend service my-backend. The results returned should include the name of the Google Cloud Armor security policy associated with this backend service.

    gcloud compute backend-services describe my-backend
    
  2. Review the Stackdriver HTTP(S) logs to determine which policy and rule were matched for your traffic along with the associated action. Use the Stackdriver Logs Viewer to view the logs.

    Here is a sample log of an allowed request with the interesting fields boldfaced. Check for the following fields and make sure they match the rule you configured to deny the traffic:

    • configuredAction should match the action configured in the rule
    • outcome should match configuredAction above
    • priority should match the priority number of the rule
    • name should match the name of the Google Cloud Armor security policy attached to this backend service
    httpRequest:
     remoteIp: 104.133.0.95
     requestMethod: GET
     requestSize: '801'
     requestUrl: http://74.125.67.38/
     responseSize: '246'
     serverIp: 10.132.0.4
     status: 200
     userAgent: curl/7.35.0
       insertId: ajvis5ev4i60
       internalId:
         projectNumber: '895280006100'
       jsonPayload:
         '@type': type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry
         **enforcedSecurityPolicy:
           configuredAction: ACCEPT
           name: mydev-policy-log-test1
           outcome: ACCEPT
           priority: 2147483647**
         statusDetails: response_sent_by_backend
       logName: projects/mydev-staging/logs/requests
       resource:
         labels:
           backend_service_name: ''
           forwarding_rule_name: mydev-forwarding-rule
           project_id: mydev-staging
           target_proxy_name: mydev-target-http-proxy
           url_map_name: mydev-url-map
           zone: global
         type: http_load_balancer
       severity: INFO
       timestamp: '2017-04-18T18:57:05.845960288Z'
    
  3. Review the hierarchy of rules to ensure that the correct rule is matched. It is possible that a higher priority rule with an allow action is matching your traffic. Use the describe command on the security-policies in gCloud to see the contents of the Google Cloud Armor security policy.

    For example, the following example shows how a higher-priority allow rule (at priority 100) matches traffic coming from 1.2.3.4 IP address, preventing the lower-priority (at priority 200) deny rule from triggering and blocking the traffic.

gcloud compute security-policies describe my-policy
creationTimestamp: '2017-04-18T14:47:58.045-07:00
description: ''
fingerprint: Yu5spBjdoC0=
id: '2560355463394441057'
kind: compute#securityPolicy
name: my-policy
rules:
- action: allow
  description: allow high priority rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '1.2.3.4/32'
  preview: false
  priority: 100
- action: deny
  description: deny lower priority rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '1.2.3.0/24
  preview: false
  priority: 200
- action: deny
  description: default rule
  kind: compute#securityPolicyRule
  match:
    srcIpRanges:
    - '*'
  preview: false
  priority: 2147483647
  selfLink: http://www.googleapis.com/compute/beta/projects/bigclustertestdev0-devconsole/global/securityPolicies/sp

Preconfigured rule returns false positives

XSS and SQLi detection are based on static signature matching on HTTP request headers and other L7 parameters. These regular expression patterns are prone to false positives. You can use the preconfigured rule for XSS and SQLi detection in preview mode and then check the Stackdriver log for any false positives.

If you find a false positive, you can compare the traffic content with the ModSecurity CRS rules. If the rule is invalid or not relevant, disable it by using the evaluatePreconfiguredExpr expression and specify the rule's ID in the exclude ID list argument.

After reviewing the logs and removing all false positives, disable the preview mode.

To add a preconfigured rule in preview mode:

  1. Create a security policy with the preconfigured expression set in preview mode:

    gcloud beta compute security-policies rules create 1000
       --security-policy my-policy
       --expression "evaluatePreconfiguredExpr('xss-canary')"
       --action deny
       --preview
    
  2. Review the Stackdriver HTTP(S) logs for HTTP request fields such as url and cookie. For example, the requestUrl compares positively to the ModSecurity CRS rule ID 941180:

    httpRequest:
      remoteIp: 104.133.0.95
      requestMethod: GET
      requestSize: '801'
      requestUrl: http://74.125.67.38/foo?document.cookie=1010"
      responseSize: '246'
      serverIp: 10.132.0.4
      status: 200
      userAgent: curl/7.35.0
    insertId: ajvis5ev4i60
    internalId:
      projectNumber: '895280006100'
    jsonPayload:
      '@type': type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry
      enforcedSecurityPolicy:
        configuredAction: ACCEPT
        name: my-policy
        outcome: ACCEPT
        priority: 2147483647
        preconfiguredExprIds: [ 'owasp-crs-v030001-id941180-xss' ]
      statusDetails: response_sent_by_backend
    logName: projects/mydev-staging/logs/requests
    resource:
      labels:
        backend_service_name: ''
        forwarding_rule_name: mydev-forwarding-rule
        project_id: mydev-staging
        target_proxy_name: mydev-target-http-proxy
        url_map_name: mydev-url-map
        zone: global
      type: http_load_balancer
    severity: INFO
    timestamp: '2017-04-18T18:57:05.845960288Z'
    
  3. Exclude the ModSecurity CRS rule ID 941180 by updating the rule in the Google Cloud Armor security policy.

    gcloud beta compute security-policies rules update 1000 \
       --security-policy my-policy \
       --expression "evaluatePreconfiguredExpr('xss-canary', ['owasp-crs-v030001-id941180-xss'])" \
       --action deny \
       --preview
    
  4. Review the Stackdriver logs again and then disable preview mode to implement the rule.

Hai trovato utile questa pagina? Facci sapere cosa ne pensi:

Invia feedback per...

Google Cloud Armor Documentation