Example security policies

This page describes example security policy configurations for different types of load balancers and security policies.

Configure security policies for external Application Load Balancers

The following are the high-level steps for configuring Google Cloud Armor security policies to enable rules that allow or deny traffic to the global external Application Load Balancer or the classic Application Load Balancer:

  1. Create a Google Cloud Armor security policy.
  2. Add rules to the security policy based on IP address lists, custom expressions, or preconfigured expression sets.
  3. Attach the security policy to a backend service of the global external Application Load Balancer or the classic Application Load Balancer for which you want to control access.
  4. Update the security policy as needed.

In the following example, you create two Google Cloud Armor security policies and apply them to different backend services.

Example in which two security policies are applied to different backend services.
Example in which two security policies are applied to different backend services (click to enlarge).

In the example, these are the Google Cloud Armor security policies:

  • mobile-clients-policy applies to external users of your games services.
  • internal-users-policy applies to your organization's test-network team.

You apply mobile-clients-policy to the games service, whose backend service is called games, and you apply internal-users-policy to the internal test service for the testing team, whose corresponding backend service is called test-network.

If the backend instances for a backend service are in multiple regions, the Google Cloud Armor security policy associated with the service is applicable to instances in all regions. In the preceding example, the security policy mobile-clients-policy is applicable to instances 1, 2, 3, and 4 in us-central and to instances 5 and 6 in us-east.

Create the example

Use these instructions to create the example configuration discussed in the previous section.

Console

Configure the security policy for external users:

  1. In the Google Cloud console, go to the Google Cloud Armor policies page.

    Go to Google Cloud Armor policies

  2. Click Create policies.

  3. In the Name field, enter mobile-clients-policy.

  4. In the Description field, enter Policy for external users.

  5. For Default rule action, select Deny.

  6. For Deny status, select 404 (Not Found).

  7. Click Next step.

Add more rules:

  1. Click Add rule.
  2. In the Description field, enter allow traffic from 192.0.2.0/24.
  3. For Mode, select Basic mode (IP addresses/ranges only).
  4. In the Match field, enter 192.0.2.0/24.
  5. For Action, select Allow.
  6. In the Priority field, enter 1000.
  7. Click Done.
  8. Click Next step.

Apply policy to targets:

  1. Click Add Target.
  2. In the Target list, select a target.
  3. Click Done.
  4. Click Create policy.

Optionally, enable Google Cloud Armor Adaptive Protection:

  1. To enable Adaptive Protection, check the Enable checkbox.

Configure the security policy for internal users:

  1. Click Create policies.
  2. In the Name field, enter internal-users-policy.
  3. In the Description field, enter Policy for internal test users.
  4. For Default rule action, select Deny.
  5. For Deny status, select 502 (Bad Gateway).
  6. Click Next step.

Add more rules:

  1. Click Add rule.
  2. In the Description field, enter allow traffic from 198.51.100.0/24.
  3. For Mode, select Basic mode (IP addresses/ranges only).
  4. In the Match field, enter 198.51.100.0/24.
  5. For Action, select Allow.
  6. For Preview only, select the Enable checkbox.
  7. In the Priority field, enter 1000.
  8. Click Done.
  9. Click Next step.

Apply policy to targets:

  1. Click Add Target.
  2. In the Target list, select a target.
  3. Click Done.
  4. Click Create policy.

gcloud

  1. Create the Google Cloud Armor security policies:

    gcloud compute security-policies create mobile-clients-policy \
    --description "policy for external users"

    gcloud compute security-policies create internal-users-policy \
    --description "policy for internal test users"

  2. Update the default rules to the security policies to deny traffic:

    gcloud compute security-policies rules update 2147483647 \
    --security-policy mobile-clients-policy \
    --action "deny-404"

    gcloud compute security-policies rules update 2147483647 \
    --security-policy internal-users-policy \
    --action "deny-502"

  3. Add rules to the security policies:

    gcloud compute security-policies rules create 1000 \
    --security-policy mobile-clients-policy \
    --description "allow traffic from 192.0.2.0/24" \
    --src-ip-ranges "192.0.2.0/24" \
    --action "allow"

    gcloud compute security-policies rules create 1000 \
    --security-policy internal-users-policy \
    --description "allow traffic from 198.51.100.0/24" \
    --src-ip-ranges "198.51.100.0/24" \
    --action "allow"

  4. Attach the security policies to the backend services:

    gcloud compute backend-services update games \
    --security-policy mobile-clients-policy

    gcloud compute backend-services update test-network \
    --security-policy internal-users-policy

  5. Optionally, enable Adaptive Protection:

    gcloud compute security-policies update mobile-clients-policy \
    --enable-layer7-ddos-defense

    gcloud compute security-policies update internal-users-policy \
    --enable-layer7-ddos-defense

Create security policies

You can use the Google Cloud console or the gcloud CLI to create security policies. The instructions in this section assume that you are configuring security policies to apply to an existing global external Application Load Balancer or classic Application Load Balancer and backend service. For an example of how to complete the fields, see Creating the example.

Console

Create Google Cloud Armor security policies and rules and attach a security policy to a backend service:

  1. In the Google Cloud console, go to the Google Cloud Armor policies page.

    Go to Google Cloud Armor policies

  2. Click Create policies.

  3. In the Name field, enter the name of your policy.

  4. Optional: Enter a description of the policy.

  5. For Policy type choose Backend security policy or Edge security policy.

  6. For Default rule action, select Allow for a default rule that permits access, or select Deny for a default rule that forbids access to an IP address or IP address range.

    The default rule is the lowest priority rule that takes effect only if no other rule applies.

  7. If you are configuring a Deny rule, select a Deny status message. This is the error message that Google Cloud Armor displays if a user without access tries to gain access.

  8. Regardless of the type of rule that you are configuring, click Next step.

Add more rules:

  1. Click Add rule.
  2. Optional: Enter a description for the rule.

  3. Select the mode:

    • Basic mode: allow or deny traffic based on IP addresses or IP ranges.
    • Advanced mode: allow or deny traffic based on rule expressions.

  4. In the Match field, specify the conditions under which the rule applies:

    • Basic mode: enter IP addresses or IP ranges to match in the rule.
    • Advanced mode: enter an expression or subexpressions to evaluate against incoming requests. For information about how to write the expressions, see the Configure custom rules language attributes.

  5. For Action, select Allow or Deny to allow or deny traffic if the rule matches.

  6. To enable preview mode, select the Enable checkbox. In preview mode, you can see how the rule behaves, but the rule is not enabled.

  7. Enter the rule's Priority. This can be any positive integer from 0 to 2,147,483,646 inclusive. For more information about the evaluation order, see Rule evaluation order.

  8. Click Done.

  9. To add more rules, click Add rule and repeat the previous steps. Otherwise, click Next step.

Apply policy to targets:

  1. Click Add Target.
  2. In the Target list, select a target.
  3. To add more targets, click Add Target.
  4. Click Done.
  5. Click Create policy.

gcloud

  1. To create a new Google Cloud Armor security policy, use the gcloud compute security-policies create command.

    In the type field, use CLOUD_ARMOR to create a backend security policy or CLOUD_ARMOR_EDGE to create an edge security policy. The type flag is optional; if no type is specified, a backend security policy is created by default:

    gcloud compute security-policies create NAME \
   [--type=CLOUD_ARMOR|CLOUD_ARMOR_EDGE] \
   [--file-format=FILE_FORMAT | --description=DESCRIPTION] \
   [--file-name=FILE_NAME]

    Replace the following:

    • NAME: the name of the security policy
    • DESCRIPTION: the description of the security policy

    The following command updates a policy that you previously created, turns JSON parsing on, and changes the log level to VERBOSE:

    gcloud compute security-policies update my-policy \
    --json-parsing=STANDARD \
    --log-level=VERBOSE

  2. To add rules to a security policy, use the gcloud compute security-policies rules create PRIORITY command.

    gcloud compute security-policies rules create PRIORITY  \
    [--security-policy POLICY_NAME] \
    [--description DESCRIPTION] \
    --src-ip-ranges IP_RANGE,... | --expression EXPRESSION \
    --action=[ allow | deny-403 | deny-404 | deny-502 ] \
    [--preview]

    Replace PRIORITY with the priority assigned to the rule in the policy. For information about how rule priority works, see Rule evaluation order.

    For example, the following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000, and it is a rule in a policy called my-policy.

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
    --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
    --action "deny-403"

    With the --preview flag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged.

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
    --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
    --action "deny-403" \
    --preview

    Use the --expression flag to specify a custom condition. For more information, see Configure custom rules language attributes. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string example in the user-agent header:

    gcloud beta compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('example')" \
    --action allow \
    --description "Block User-Agent 'example'"

    The following command adds a rule to block requests if the request's cookie contains a specific value:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')" \
    --action "deny-403" \
    --description "Cookie Block"

    The following command adds a rule to block requests from the region AU:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "origin.region_code == 'AU'" \
    --action "deny-403" \
    --description "AU block"

    The following command adds a rule to block requests from the region AU that are not in the specified IP range:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \
    --action "deny-403" \
    --description "country and IP block"

    The following command adds a rule to block requests with a URI that matches a regular expression:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "request.path.matches('/bad_path/')" \
    --action "deny-403" \
    --description "regex block"

    The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \
    --action "deny-403" \
    --description "country and IP block"

    The following command adds a rule that uses a preconfigured expression set to mitigate SQLi attacks:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredExpr('sqli-stable')" \
    --action "deny-403"

    The following command adds a rule that uses a preconfigured expression to allow access from all IP addresses on a named IP address list:

    gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \
    --action "allow"

Configure security policies for regional external Application Load Balancers

This section contains information about configuring regionally scoped Google Cloud Armor security policies for regional external Application Load Balancers.

Protect regionally load balanced workloads

Use the following steps to configure a security policy to protect your regionally scoped backend service:

  1. Create a regionally scoped security policy.

    gcloud beta compute security-policies create POLICY_NAME \
   --type=CLOUD_ARMOR \
   --region=REGION

  2. Attach the regionally scoped security policy to a regionally scoped backend service. Replace BACKEND_NAME with the name of your existing regionally scoped backend service.

    gcloud beta compute backend-services update BACKEND_NAME \
   --security-policy=POLICY_NAME \
   --region=REGION

Apply a regionally scoped Google Cloud Armor security policy

Consider an example in which you are a security administrator who wants to satisfy a residency requirement that all of your backend workloads and WAF rules are deployed in a specific region. Assume that you have done the following beforehand:

  1. You created regionally scoped load-balanced backend services in the region.
  2. You disabled any existing globally scoped security policies in your deployment.
  3. You created and attached a regionally scoped security policy in the same region (as in the previous section).

You can add WAF rules and other advanced rules to your policy while satisfying the requirement by using the following example commands:

  • Add a WAF rule to the policy:

    gcloud beta compute security-policies rules create 1000 --action=deny-404 \
  --expression="evaluatePreconfiguredExpr('xss-v33-stable', ['owasp-crs-v030301-id941100-xss', 'owasp-crs-v030301-id941160-xss'])" \
  --security-policy=POLICY_NAME \
  --region=REGION

  • Add an advanced rule to the policy:

    gcloud beta compute security-policies rules create 1000 --action=allow \
  --expression="has(request.headers['cookie']) && request.headers['cookie'].contains('80=EXAMPLE')" \
  --security-policy=POLICY_NAME \
  --region=REGION

  • Add a rate limiting rule to the policy:

    gcloud beta compute security-policies rules create 1000 --action=throttle \
  --src-ip-ranges="1.1.1.1/32" \
  --rate-limit-threshold-count=1000 \
  --rate-limit-threshold-interval-sec=120 \
  --conform-action="allow" \
  --exceed-action="deny-429" \
  --enforce-on-key=IP \
  --ban-duration-sec=999 \
  --ban-threshold-count=5000 \
  --ban-threshold-interval-sec=60 \
  --security-policy=POLICY_NAME \
  --region=REGION

What's next