Configuring Google Cloud Armor security policies

Use these instructions to filter incoming traffic to HTTP(S) Load Balancing by creating Google Cloud Armor security policies. For conceptual information about Google Cloud Armor security policies, see Google Cloud Armor security policy Concepts.

Make sure that you are familiar with HTTP(S) Load Balancing concepts before you configure security policies.

For information about configuring Google Cloud Armor on GKE, see Configuring Google Cloud Armor.

IAM permissions for Google Cloud Armor security policies

The following operations require the role Security Admin (roles/compute.securityAdmin):

  • Creating, modifying, updating, and deleting a Google Cloud Armor security policy
  • API methods allowed:
    • SecurityPolicies insert
    • SecurityPolicies delete
    • SecurityPolicies patch
    • SecurityPolicies addRule
    • SecurityPolicies patchRule
    • SecurityPolicies removeRule

A user with the Network Admin role (roles/compute.networkAdmin) can perform the following operations:

  • Setting a Google Cloud Armor security policy for a backend service
  • API methods allowed:
    • BackendServices setSecurityPolicy

Users with the roles Security Admin and Network Admin can view Google Cloud Armor security policies using the API methods SecurityPolicies get, list, and getRule.

IAM permissions for custom roles

The following table lists the base IAM roles' base permissions and their associated API methods.

IAM Permission API Methods
compute.securityPolicies.create SecurityPolicies insert
compute.securityPolicies.delete SecurityPolicies delete
compute.securityPolicies.get SecurityPolicies get
SecurityPolicies getRule
compute.securityPolicies.list SecurityPolicies list
compute.securityPolicies.use BackendServices setSecurityPolicy
compute.securityPolicies.update SecurityPolicies patch
SecurityPolicies addRule
SecurityPolicies patchRule
SecurityPolicies removeRule
compute.backendServices.setSecurityPolicy BackendServices setSecurityPolicy

Configuring Google Cloud Armor security policies for HTTP(S) Load Balancing

At a high level, these are the steps for configuring Google Cloud Armor security policies to enable rules that allow or deny traffic to HTTP(S) Load Balancing.

  1. Create a Google Cloud Armor security policy.
  2. Add rules to the policy based on IP lists, custom expressions, or pre-configured expression sets.
  3. Attach the Google Cloud Armor security policy to a backend service of the HTTP(S) load balancer for which you want to control access.
  4. Update the Google Cloud Armor security policy as needed.

In the following example, you create two Google Cloud Armor Security Policies and apply them to different backend services.

Example in which two Google Cloud Armor security policies are applied to different backend services
Example in which two Google Cloud Armor security policies are applied to different backend services (click to enlarge)

In the example, these are the Google Cloud Armor security policies:

  • mobile-clients-policy applies to external users of your games services
  • internal-users-policy applies to your organization's test-network team

You apply mobile-clients-policy to the games service, whose backend service is called games, and you apply internal-users-policy to the internal test service for the testing team, whose corresponding backend service is called test-network.

If the backend instances for a backend service are in multiple regions, then the Google Cloud Armor security policy associated with the service is applicable to instances in all regions. In the example above, the Google Cloud Armor security policy mobile-clients-policy is applicable to instances 1, 2, 3, and 4 in us-central and to instances 5 and 6 in us-east.

Creating the example

Use these instructions to create the example discussed in the previous section.

Console

To create the example configuration, follow these steps:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type mobile-client-policy.
  4. In the Description field, type policy for external users.
  5. Click Deny.
  6. Click Next step.
  7. Click Add rule.
  8. In the Description field, type allow traffic from 192.0.2.0/24.
  9. For the Mode, select Basic mode (IP addresses/ranges only).
  10. In the Match field, type 192.0.2.0/24.
  11. For the Action, select Allow.
  12. In the Priority field, type 1000.
  13. Click Done.
  14. Click Next step.
  15. Click Add target.
  16. Select a Target from the drop-down list.
  17. Click Done.
  18. Click Create policy. You see the Security policies page in the Console.
  19. In the Name field, type internal-users-policy.
  20. In the Description field, type Policy for internal test users.
  21. Click Deny.
  22. Click Next step.
  23. Click Add rule.
  24. In the Description field, type allow traffic from 198.51.100.0/24.
  25. For the Mode, select Basic mode (IP addresses/ranges only).
  26. In the Match field, type 198.51.100.0/24.
  27. For the Action, select Allow.
  28. Check Enable.
  29. In the Priority field, type 1000.
  30. Click Done.
  31. Click Next step.
  32. Click Add target.
  33. Select a Target from the drop-down list.
  34. Click Done.
  35. Click Create policy. You see the Security policies page in the Console.

gcloud

  1. Create the Google Cloud Armor security policies.

    gcloud compute security-policies create mobile-clients-policy \
        --description "policy for external users"
    
    gcloud compute security-policies create internal-users-policy \
        --description "policy for internal test users"
    
  2. Update the default rules to the Google Cloud Armor security policies to deny traffic.

    gcloud compute security-policies rules update 2147483647 \
        --security-policy mobile-clients-policy \
        --action "deny-404"
    
    gcloud compute security-policies rules update 2147483647 \
        --security-policy internal-users-policy \
        --action "deny-502"
    
  3. Add rules to the Google Cloud Armor security policies.

    gcloud compute security-policies rules create 1000 \
        --security-policy mobile-clients-policy \
        --description "allow traffic from 192.0.2.0/24" \
        --src-ip-ranges "192.0.2.0/24" \
        --action "allow"
    
    gcloud compute security-policies rules create 1000 \
        --security-policy internal-users-policy \
        --description "allow traffic from 198.51.100.0/24" \
        --src-ip-ranges "198.51.100.0/24" \
        --action "allow"
    
  4. Attach the Google Cloud Armor security policies to the backend services.

    gcloud compute backend-services update games \
        --security-policy mobile-clients-policy
    
    gcloud compute backend-services update test-network \
        --security-policy internal-users-policy
    

Configuring Google Cloud Armor for GKE

You can configure Google Cloud Armor security policies for GKE using the following high-level procedure.

  1. Configure a Google Cloud Armor security policy with rules using the REST API or gcloud command line tool.
  2. Create an Ingress resource in GKE.
  3. Determine which backend services are associated with the Ingress resource.

    1. Retrieve the configuration of the Ingress resource:

      kubectl describe ingress [INGRESS_NAME]
      
    2. Note the values in the backends field of the "Annotations" section of the output. These are the names of the backend services used.

  4. Using the REST API or gcloud command line tool, attach the Google Cloud Armor security policy to each of the backends noted in the previous step.

If a Kubernetes Ingress resource is deleted and then recreated, the security policy must be reapplied to the new backend service or services.

For more information see Configuring Google Google Cloud Armor through Ingress

Creating Google Cloud Armor security policies, rules, and expressions

You can create Google Cloud Armor security policies, rules and expressions using the Google Cloud Console, the gcloud command line tool, or the REST API.

The following are sample expressions. For more information on expressions, see the Google Cloud Armor rules language reference.

If you are creating a rule or expression that uses ISO 3166-1 alpha 2 country or region codes, note that Google Cloud Armor treats each code independently. Google Cloud Armor rules and expressions explicitly uses those region codes to allow or deny requests.

  • The following expression matches against requests from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

    inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('Godzilla')
    
  • The following expression matches against requests that have a cookie with a specific value:

    has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')
    
  • The following expression matches against requests from the region AU:

    origin.region_code == 'AU'
    
  • The following expression matches against requests from the region AU and not in the specified IP range:

    request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')
    
  • The following expression matches against requests if the URI matches a regular expression:

    request.path.matches('/bad_path/')
    
  • The following expression matches against requests if the Base64 decoded value of the user-id header contains a specific value:

    has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')
    
  • The following expression uses a pre-configured expression set match against SQLi attacks:

    evaluatePreconfiguredExpr('sqli-stable')
    

The following instructions assume that you are creating security policies to apply to an existing external HTTP(S) load balancer and backend service.

Console

To create Google Cloud Armor security policies and rules and attach the Google Cloud Armor security policy to a backend service:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Security policies page.
  2. Click Create policy.
  3. In the Name field, type the name of your policy.
  4. Optionally, type a description of the policy.
  5. Select Allow for a default rule that permits access or Deny for a default rule that forbids access to an IP address or IP address range.

    The default rule is the lowest priority rule that takes effect only if no other rule applies.

  6. If you are creating a Deny rule, choose the Deny status. This is the error message that Google Cloud Armor displays if a user without access tries to gain access.

  7. Regardless of the type of rule you are creating, click Next step.

  8. Click Add rule to configure additional rules for the security policy.

  9. Optionally, type a Description for the rule.

  10. Select the mode.

    • Basic mode — allow or deny traffic based on IP addresses or ranges.
    • Advanced mode — allow or deny traffic based on rule expressions.
  11. In the Match field, specify the conditions under which the rule applies.

    • Basic mode — type IP address ranges to match in the rule.
    • Advanced mode — type an expression or sub-expressions to evaluate against incoming requests. See the Google Cloud Armor rules language for information about how to write the expressions.
  12. Select Allow or Deny to allow or deny traffic if the rule matches.

  13. To enable preview mode, check Enable. In preview mode, you can see how the rule behaves, but the rule is not enabled.

  14. Type the rule's Priority. This can be any positive integer from 0 to 2,147,483,646 inclusive. For more information about the evaluation order, see Rule priority and evaluation order.

  15. Click Done.

  16. To add more rules, click Add rule and repeat the steps above. Otherwise, click Next step.

  17. Click Add target.

  18. Select a Target from the drop-down list.

  19. To add more targets, click Add target.

  20. Click Done.

  21. Click Create policy.

gcloud

  1. To create a new Google Cloud Armor security policy, use the command gcloud compute security-policies create, where NAME is the name of the Google Cloud Armor security policy.

    gcloud compute security-policies create [NAME] \
        [--file-format=[FILE_FORMAT] | --description=[DESCRIPTION]] \
        [--file-name=[FILE_NAME]]
    

    For example:

    gcloud compute security-policies create my-policy \
       --description "block bad traffic"
    
  2. To add rules to a Google Cloud Armor security policy, use the command gcloud compute security-policies rules create PRIORITY where PRIORITY is the priority assigned to the rule in the policy. For information on how rule priority works, see About Google Cloud Armor Security Policies.

    gcloud compute security-policies rules create [PRIORITY]  \
       [--security-policy [POLICY_NAME]] \
       [--description [DESCRIPTION]] \
       --src-ip-ranges [IP_RANGE,...] | --expression [EXPRESSION] \
       --action=[ allow | deny-403 | deny-404 | deny-502 ]  \
       [--preview]
    

    The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and it is a rule in a policy called my-policy.

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
       --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
       --action "deny-403"
    

    With the --preview flag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged.

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
       --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
       --action "deny-403" \
       --preview
    

    Use the --expression flag to specify a custom condition in the Google Cloud Armor rules language. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('Godzilla')" \
       --action allow \
       --description "Block User-Agent 'Godzilla'"
    

    The following command adds a rule to block requests if the request's cookie contains a specific value:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')" \
       --action "deny-403" \
       --description "Cookie Block"
    

    The following command adds a rule to block requests from the region AU:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "origin.region_code == 'AU'" \
       --action "deny-403" \
       --description "AU block"
    

    The following command adds a rule to block requests from the region AU and not in the specified IP range:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \
       --action "deny-403" \
       --description "country and IP block"
    

    The following command adds a rule to block requests with a URI that matches a regular expression:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "request.path.matches('/bad_path/)')" \
       --action "deny-403" \
       --description "regex block"
    

    The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \
       --action "deny-403" \
       --description "country and IP block"
    

    The following command adds a rule that uses a pre-configured expression set to mitigate SQLi attacks:

    gcloud compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "evaluatePreconfiguredExpr('sqli-stable')" \
       --action "deny-403"
    

    The following command adds a rule that uses a pre-configured expression to allow access from all IP addresses on a named IP address list:

    gcloud beta compute security-policies rules create 1000 \
       --security-policy my-policy \
       --expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \
       --action "allow"
    

Listing the available pre-configured rules

List pre-configured rules to view the predefined application protection rules and signatures such as the ModSecurity Core Rule Set that Google Cloud Armor provides. These pre-configured rules contain multiple built-in signatures that Google Cloud Armor uses to evaluate against incoming requests. You add these pre-configured rules to new or existing rules by using the Google Cloud Armor custom rules language.

For more information, see pre-configured rules.

gcloud

  1. Run the gcloud compute security-policies list-preconfigured-expression-sets command.

    gcloud compute security-policies list-preconfigured-expression-sets
    

    The follow example shows the form of the output from the command:

    EXPRESSION_SET
    expression-set-1
       RULE_ID
       expression-set-1-id-1
       expression-set-1-id-2
    expression-set-2
       alias-1
       RULE_ID
       expression-set-2-id-1
       expression-set-2-id-2
    

    The follow example includes a sample of the actual output from the command. Note that the actual output would include all of the rules that are listed in Tuning Google Cloud Armor WAF rules.

    gcloud beta compute security-policies list-preconfigured-expression-sets
    
    EXPRESSION_SET
    sqli-canary
        RULE_ID
        owasp-crs-v030001-id942110-sqli
        owasp-crs-v030001-id942120-sqli
        …
    xss-canary
        RULE_ID
        owasp-crs-v030001-id941110-xss
        owasp-crs-v030001-id941120-xss
    …
    sourceiplist-fastly
    sourceiplist-cloudflare
    sourceiplist-imperva
    

Listing Google Cloud Armor security policies

Use these instructions to list all Google Cloud Armor security policies in the current project or in a project you specify.

Console

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Security policies page and a list of policies.

  2. To view a particular policy, click its name.

gcloud

To list all configured Google Cloud Armor security policies:

gcloud compute security-policies list

For example:

gcloud compute security-policies list
NAME
my-policy

For more information, see gcloud compute security-policies list

Updating Google Cloud Armor security policies

Use these instructions to update a Google Cloud Armor Security Policy. For example, you can modify the policy's description, modify the default rule's behavior, change the target backend service, or add new rules.

Console

To update a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page and a list of policies.
  2. Click the three-dot menu corresponding to the policy you want to update.

    1. To update the policy description of the default rule action, select Edit, make the desired changes, and click Update.
    2. To add a rule, select Add rule, then follow the instructions above for adding a rule to a policy from the Console.
    3. To change the target backend service for the Google Cloud Armor security policy, select Apply policy to target, then add a new target and click Add.

gcloud

To update a Google Cloud Armor security policy with the gcloud command line tool, use the following instructions:

Exporting Google Cloud Armor security policies

You can export a Google Cloud Armor security policy as a YAML or JSON file by using the gcloud command line tool. Exporting a policy enables you to retrieve a copy of it that you can modify or save in source control.

gcloud

  1. In the following command, NAME is the name of the Google Cloud Armor security policy. Valid file formats are YAML and JSON. If you do not provide the file format, Google Cloud Armor uses the default YAML.

    gcloud compute security-policies export NAME \
        --file-name [FILE_NAME]  \
        --file-format [FILE_FORMAT]
    

    The following command exports the my-policy security policy to the my-file file in the YAML format:

    gcloud compute security-policies export my-policy \
         --file-name my-file \
         --file-format yaml
     

    The following example shows an exported security policy:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: allow description: default rule match: config: srcIpRanges: - '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy
  2. You can modify the exported file with any text editor, and then import it back to GCP by using the import command.

Importing Google Cloud Armor security policies

You can import Google Cloud Armor security policies from a YAML or JSON file by using the gcloud command line tool. You can't use the import command to update an existing policy's rules. Instead, you must update rules one by one by using the Update rules procedure or all at once by using the Atomically update rules in a Google Cloud Armor Security Policy procedure.

gcloud

To import Google Cloud Armor security policies, use the gcloud compute security-policies import NAME command, where NAME is the name of the Google Cloud Armor security policy you are importing. If you do not provide the file format, the correct format is assumed based on the file structure. If the structure is invalid, you see an error.

gcloud compute security-policies import NAME \
   --file-name [FILE_NAME] \
  [--file-format [FILE_FORMAT]]

For example, the following command updates the policy my-policy by importing the file my-file.

gcloud compute security-policies import my-policy \
    --file-name my-file \
    --file-format json

If the policy's fingerprint is out of date when you import it, Google Cloud Armor shows an error. This means that the policy has been modified since you last exported it. To fix this, use the describe command on the policy to get the latest fingerprint. Merge any differences between the described policy and your policy, and then replace the outdated fingerprint with the latest one.

Deleting Google Cloud Armor security policies

Use these instructions to delete a Google Cloud Armor security policy. You must remove all backend services from the policy before you can delete it.

Console

To delete a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Next to the name of the Google Cloud Armor security policy you want to delete, select the checkbox.
  3. In the upper-right-hand corner of the display, click the Delete icon.

gcloud

Use gcloud compute security-policies delete NAME to delete a security policy, where NAME is the name of the Google Cloud Armor Security Policy.

gcloud compute security-policies delete NAME

Attaching a Google Cloud Armor security policy to a backend service

Use these instructions to attach a Google Cloud Armor security policy to a backend service. A Google Cloud Armor security policy can be attached to more than one backend service, but a backend service can have only one Google Cloud Armor security policy attached to it.

Console

To attach a policy to a backend service:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Click Apply policy to new target.
  5. Click Add Target.
  6. Click Select a target.
  7. Select the target.
  8. Click Add.

gcloud

Use the gcloud compute backend-services command to attach a security policy to a backend service.

gcloud compute backend-services update my-backend \
    --security-policy my-policy

Removing a Google Cloud Armor security policy from a backend service

Use these instructions to remove a Google Cloud Armor security policy from a backend service.

Console

To remove a policy from a backend service:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the Targets tab.
  4. Select the target backend service from which you are removing the policy.
  5. Click Remove.
  6. On the confirmation pop-up, click Remove.

gcloud

To remove a Google Cloud Armor security policy from the backend service my-backend:

gcloud compute backend-services update my-backend \
   --security-policy ""

Adding rules to a Google Cloud Armor security policy

Use these instructions to add rules to a Google Cloud Armor security policy.

Console

To add rules to a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click Add rule.
  4. Optionally, type a description of the rule.
  5. Select the mode.

    • Basic mode — allow or deny traffic based on IP addresses or ranges.
    • Advanced mode — allow or deny traffic based on rule expressions.
  6. In the Match field, specify the conditions under which the rule applies.

    • Basic mode — type from one (1) to five (5) IP address ranges to match in the rule.
    • Advanced mode — type an expression or sub-expressions to evaluate against incoming requests. See the Google Cloud Armor rules language for information about how to write the expressions and read the following examples:

      • The following expression matches against requests from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

        inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('Godzilla')
        
      • The following expression matches against requests that have a cookie with a specific value:

        has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')
        
      • The following expression matches against requests from the region AU:

        origin.region_code == 'AU'
        
      • The following expression matches against requests from the region AU and not in the specified IP range:

        request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')
        
      • The following expression matches against requests if the URI matches a regular expression:

        request.path.matches('/bad_path/)')
        
      • The following expression matches against requests if the Base64 decoded value of the user-id header contains a specific value:

        has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')
        
      • The following expression uses a pre-configured expression set to match against SQLi attacks:

        evaluatePreconfiguredExpr('sqli-stable')
        
  7. In the Action section, select Allow or Deny.

  8. If you are creating a Deny rule, choose the Deny status.

  9. If you want to enable preview mode for the rule, check Enable.

  10. In the Priority field, type in a positive integer.

  11. Click Add.

gcloud

To add rules to a Google Cloud Armor security policy, use the command gcloud compute security-policies rules create PRIORITY where PRIORITY is the priority of the rule in the policy.

gcloud compute security-policies rules create PRIORITY \
   --security-policy [POLICY_NAME} \
   --description [DESCRIPTION] \
   --src-ip-ranges [IP_RANGES] | --expression [EXPRESSION] \
   --action=[ allow | deny-403 | deny-404 | deny-502 ] \
   --preview

The following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000 and is a rule in a policy called my-policy.

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
   --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
   --action "deny-403"

Use the --expression flag to specify a condition in the Google Cloud Armor rules language. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string Godzilla in the user-agent header:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('Godzilla')" \
   --action allow \
   --description "Block User-Agent 'Godzilla'"

The following command adds a rule to block requests if the request's cookie contains a specific value:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "has(request.headers['cookie']) && request.headers['cookie'].contains('80=BLAH')" \
   --action deny-403 \
   --description "Cookie Block"

The following command adds a rule to block requests from the region AU:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "origin.region_code == 'AU'" \
   --action deny-403 \
   --description "AU block"

The following command adds a rule to block requests from the region AU and not in the specified IP range:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.region_code == "AU" && !inIpRange(origin.ip, '1.2.3.0/24')" \
   --action deny-403 \
   --description "country and IP block"

The following command adds a rule to block requests with a URI that matches a regular expression:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "request.path.matches('/bad_path/)')" \
   --action deny-502 \
   --description "regex block"

The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \
   --action deny-403 \
   --description "country and IP block"

The following command adds a rule that uses a pre-configured expression set to mitigate SQLi attacks:

gcloud compute security-policies rules create 1000 \
   --security-policy my-policy \
   --expression "evaluatePreconfiguredExpr('sqli-stable')" \
   --action deny-403

Listing the rules in a Google Cloud Armor security policy

Use these instructions to list the rules in a Google Cloud Armor security policy.

Console

To list the rules in a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed and the policy rules are listed in the middle of the page.

gcloud

Use the following gcloud command to list all rules in a single security policy along with a description of the policy.

gcloud compute security-policies describe [NAME] \

Use the following gcloud command to describe a rule with the specified priority in the specified Google Cloud Armor security policy.

gcloud compute security-policies rules describe [PRIORITY] \
    --security-policy [POLICY_NAME]

For example, the following command describes the rule with priority 1000 in the Google Cloud Armor security policy my-policy:

gcloud compute security-policies rules describe 1000 \
    --security-policy my-policy

action: deny(403)
description: block traffic from 192.0.2.0/24 and 198.51.100.0/24
kind: compute#securityPolicyRule
match:
  srcIpRanges:

  • '192.0.2.0/24'
  • '198.51.100.0/24' preview: false priority: 1000

Updating a single rule

Use these instructions to update a single rule in a Google Cloud Armor security policy. To atomically update multiple rules, see Atomically update rules in a Google Cloud Armor security policy.

Console

To update a rule:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, click the pencil icon next to the rule. The Edit rule page is displayed.
  4. Make the desired changes and click Update.

gcloud

Use this command to update a rule with the specified priority in a designated Google Cloud Armor security policy. You can only update one Google Cloud Armor security policy at a time using this command.

gcloud compute security-policies rules update [PRIORITY] [ \
   --security-policy [POLICY_NAME]  \
   --description [DESCRIPTION]  \
   --src-ip-ranges [IP_RANGES]  | --expression [EXPRESSION] \
   --action=[ allow | deny-403 | deny-404 | deny-502 ]  \
   --preview
  ]
  

For example, the following command updates a rule with priority 1111 to allow traffic from the IP address range 192.0.2.0/24.

gcloud compute security-policies rules update 1111 \
   --security-policy my-policy \
   --description "allow traffic from 192.0.2.0/24" \
   --src-ip-ranges "192.0.2.0/24" \
   --action "allow"

For more information about this command, see gcloud compute security-policies rules update

To update the priority of a rule, you must use the REST API. See securityPolicies.patchRule for more information.

Atomically updating multiple rules in a Google Cloud Armor security policy

An atomic update applies changes to multiple rules in a single update. If you were to update rules one by one, you might see some unintended behavior because old and new rules might be working together for a short period of time.

To atomically update multiple rules, export the current Google Cloud Armor security policy to a JSON or YAML file, and then modify it. Use the modified file to create a new Google Cloud Armor security policy, and then switch the security policy for the relevant backend services.

gcloud

  1. Export the policy to update, as shown in the following example:

    gcloud compute security-policies export my-policy \
         --file-name my-file \
         --file-format yaml
    

    The exported policy will look similar to the following example:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredExpr('xss-stable') versionedExpr: SRC_IPS_V1 preview: false priority: 1
    • action: allow description: my-rule-2 match: config: srcIpRanges:
      • '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 2
    • action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges:
      • '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy
  2. Use any text editor to modify the policy. For example, you can modify the the priorities of the existing rules and add a new rule:

    description: my description
    fingerprint: PWfLGDWQDLY=
    id: '123'
    name: my-policy
    rules:

    • action: deny(404) description: my-rule-1 match: expr: expression: evaluatePreconfiguredExpr('xss-stable') versionedExpr: SRC_IPS_V1 preview: false priority: 1
    • action: allow description: my-new-rule match: config: srcIpRanges:
      • '1.2.3.1' versionedExpr: SRC_IPS_V1 preview: false priority: 10
    • action: allow description: my-rule-2 match: config: srcIpRanges:
      • '1.2.3.4' versionedExpr: SRC_IPS_V1 preview: false priority: 11
    • action: deny description: default rule kind: compute#securityPolicyRule match: config: srcIpRanges:
      • '*' versionedExpr: SRC_IPS_V1 preview: false priority: 2147483647 selfLink: https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/my-policy
  3. Create a new Google Cloud Armor security policy and specify the modified file name and format, as shown in the following example:

    gcloud compute security-policies create new-policy \
       --description "allow-listed traffic" \
       --file-name modified-policy \
       --file-format yaml
    
  4. Remove the old security policy from the relevant backend service, as shown in the following example:

    gcloud compute backend-services update my-backend \
       --security-policy ""
    
  5. Add the new security policy to the backend service, as shown in the following example:

    gcloud compute backend-services update my-backend \
        --security-policy new-policy
    
  6. If the old policy is unused, delete it:

    gcloud compute security-policies delete my-policy
    

Deleting rules

Use these instructions to delete rules from a Google Cloud Armor Security Policy.

Console

To delete a rule from a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. Click the name of the Google Cloud Armor security policy. The Policy detail page is displayed.
  3. In the middle of the page, select the checkbox next to the rule you want to delete.
  4. Click the Delete button.

gcloud

Use this command to remove a rule with the specified priority from a designated Google Cloud Armor security policy. You can modify only one Google Cloud Armor security policy at a time, but you can delete multiple rules at once.

gcloud compute security-policies rules delete PRIORITY [...] [
   --security-policy [POLICY_NAME] \
  ]

For example:

gcloud compute security-policies rules delete 1000 \
   --security-policy my-policy

Enabling HTTP(S) request logging

Google Cloud Armor logs for security policy name, match rule priority, associated action, and related information are logged as part of logging for HTTP(S) Load Balancing. Logging for new backend services is disabled by default, so you must enable HTTP(S) Load Balancing logging to record complete logging information for Google Cloud Armor.

To enable HTTP(S) Load Balancing logging, see HTTP(S) Load Balancing Logging and Monitoring.

Viewing logs

You can view logs only on the Console.

Console

To view the logs for a Google Cloud Armor security policy:

  1. Go to the Network Security page in the Google Cloud Console.
    Go to the Network Security page
    You see the Google Cloud Armor security policies page.
  2. In the row for a security policy, click the three-dot menu corresponding to the policy whose logs you want to see.
  3. Select View logs.

What's next