Monitoring Google Cloud Armor Security Policies

Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring. You can use monitoring metrics to check whether your policies are working as intended or to troubleshoot problems. For example, you can view the traffic that was blocked or allowed for each backend service. You can monitor the metrics of a single security policy (which can be applied to multiple backend services) or a single backend service.

In addition to the predefined dashboards in Cloud Monitoring, you can create custom dashboards, set up alert policies, and query the metrics through the Cloud Monitoring API.

On the Cloud Monitoring dashboard, Open Incidents are drive by the alerting policies you configure. Alerts appear as incidents on the dashboard when the alert is triggered. These are general functions of Cloud Monitoring.

There are no Cloud Monitoring logs for Security Command Center.

For complete information on Cloud Monitoring, see Cloud Monitoring documentation.

Viewing the monitoring dashboard

You can monitor the status and request traffic volumes (allowed, denied, or previewed) on a per-policy and per-backend-service basis using the pre-configured Network Security policy resource dashboard in Cloud Monitoring.

Use these instructions to view the dashboard.

  1. Go to Monitoring in the Google Cloud Console.
    Go to Monitoring
  2. Select Dashboards and then select the dashboard named Network Security Policies.

  3. Click the name of your policy.

When you access the dashboard, you see overall metrics on the right. These include request volume metrics for requests evaluated by a security policy broken down by outcome: allowed, denied, previewed allowed, previewed denied. Metrics can be observed at varying levels of granularity, including per-project, per policy, and per-backend-service

When you click a policy name, you see details about the policy.

Google Cloud Armor monitoring dashboard
Google Cloud Armor monitoring dashboard (click to enlarge)

Defining alerting policies

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition. The general steps for creating an alerting policy that monitors the Network Security Policy resource(s) are listed below:

  1. In the Google Cloud Console, go to Monitoring or use the following button:
    Go to Monitoring
  2. In the Monitoring navigation pane, select Alerting and then select Create Policy.
  3. Enter a name for the alerting policy.
  4. Click Add Condition:
    1. The settings in the Target pane specify the resource and metric to be monitored. Click the text box to enable a menu and then select the resource Network Security Policy. Next, select a metric from the metrics list.
    2. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information on the fields in the pane, see Configuration in the alerting policy documentation.
    3. Click Add.
  5. (Optional) Click Add Notification Channel and enter your notification channel information.
  6. (Optional) Click Documentation and add any information that you want included in a notification message.
  7. Click Save.
For more information, see Alerting policies.

Defining Cloud Monitoring custom dashboards

You can create custom Cloud Monitoring dashboards over Network Security Policy metrics:

  1. Go to Monitoring in the Google Cloud Console.
    Go to Monitoring
  2. Select Dashboards > Create Dashboard.
  3. Click Add Chart.
  4. Give the chart a title.
  5. Select metrics and filters. For metrics, the resource type is Network Security Policy.
  6. Click Save.

Metric reporting frequency and retention

Metrics for the Google Cloud Armor security policies are exported to Cloud Monitoring in 1-minute granularity batches. Monitoring data is retained for six weeks. The dashboard provides data analysis in the following default intervals:

  • 1H (one hour)
  • 6H (six hours)
  • 1D (one day)
  • 1W (one week)
  • 6W (six weeks)

Using the controls in the upper-right hand corner of the Stackdriver monitoring page, you can manually request analysis in any interval from 6W to 1 minute.

Monitoring metrics for Google Cloud Armor security policies

The following metrics are reported on the Google Cloud Armor security policies dashboard:

Metric Description
Request count The number of requests processed by a Google Cloud Armor security policy.
Preview request count The number of requests that match preview-mode rules. Preview requests are logged, but the corresponding action is not enforced.
The preview request counts are included in the above request count metric, because all requests are expected to match a configured non-preview rule or the default rule.

Filtering dimension for Google Cloud Armor security policies

Metrics are aggregated for each Google Cloud Armor security policy. You can filter aggregated metrics by the following dimensions:

Dimension Description
backend_target_name Track requests based on the backend target (service) that the traffic was destined to.
blocked Track requests based on whether they were allowed or blocked by the Google Cloud Armor security policy rules.