Monitoring Google Cloud Armor security policies

Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring. You can use monitoring metrics to check whether your policies are working as intended or to troubleshoot problems. For example, you can view the traffic that was blocked or allowed for each backend service. You can monitor the metrics of a single security policy (which can be applied to multiple backend services) or a single backend service.

In addition to the predefined dashboards in Monitoring, you can create custom dashboards, set up alert policies, and query the metrics through the Cloud Monitoring API.

On the Monitoring dashboard, Open incidents are driven by the alerting policies that you configure. Alerts appear as incidents on the dashboard when the alert is triggered. These are general functions of Monitoring.

There are no Monitoring logs for Security Command Center.

For complete information about Monitoring, see the Cloud Monitoring documentation.

Viewing the monitoring dashboard

You can monitor the status and request traffic volumes (allowed, denied, or previewed) on a per-policy and per-backend-service basis by using the preconfigured Network Security Policies resource dashboard in Cloud Monitoring.

To view the dashboard, follow these steps:

Console

  1. In the Google Cloud Console, go to Monitoring.

    Go to Monitoring

  2. Select Dashboards, and then select the dashboard named Network Security Policies.

  3. Click the name of your policy.

When you access the dashboard, you see overall metrics on the right. These include request volume metrics for requests evaluated by a security policy broken down by outcome: allowed, denied, previewed allowed, previewed denied. Metrics can be observed at varying levels of granularity, including per-project, per-policy, and per-backend-service.

When you click a policy name, you see details about the policy.

Google Cloud Armor monitoring dashboard.
Google Cloud Armor monitoring dashboard (click to enlarge)

Defining custom dashboards

To create custom Monitoring dashboards over Network Security Policy metrics, follow these steps:

Console

  1. In the Google Cloud Console, go to Monitoring.

    Go to Monitoring

  2. Click Dashboards, and then click Create dashboard.

  3. Create a name for your dashboard, and then click Confirm.

  4. Click Add chart.

  5. Give the chart a title.

  6. Select metrics and filters. For metrics, the resource type is Network Security Policy.

  7. Click Save.

Defining alerting policies

Console

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition. The general steps for creating an alerting policy that monitors one or more Network Security Policy resources are as follows:

  1. In the Google Cloud Console, go to Monitoring.

    Go to Monitoring

  2. In the Monitoring navigation pane, select Alerting, and then select Create policy.
  3. Click Add condition:
    1. The settings in the Target pane specify the resource and metric to be monitored. Click the text box to enable a menu, and then select the resource Network Security Policy. Next, select a metric from the metrics list.
    2. The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information about the fields in the pane, see Configuration in the Alerting policies documentation.
    3. Click Add.
  4. To advance to the notifications section, click Next.
  5. Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.

    If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh , and then select the notification channels to add to the alerting policy.

  6. To advance to the documentation section, click Next.
  7. Click Name and enter a name for the alerting policy.
  8. Optional: Click Documentation, and then add any information that you want included in a notification message.
  9. Click Save.
For more information, see Alerting policies.

Metric reporting frequency and retention

Metrics for the Google Cloud Armor security policies are exported to Cloud Monitoring in one-minute granularity batches. Monitoring data is retained for six weeks. The dashboard provides data analysis in the following default intervals:

  • 1H (one hour)
  • 6H (six hours)
  • 1D (one day)
  • 1W (one week)
  • 6W (six weeks)

Using the controls in the upper-right corner of the Monitoring page, you can manually request analysis in any interval from 6W to 1 minute.

Monitoring metrics for security policies

The following metrics are reported on the Network Security Policies dashboard:

Metric Description
Requests count The number of requests processed by a Google Cloud Armor security policy.
Previewed Requests count

The number of requests that match preview-mode rules. Previewed Requests are logged, but the corresponding action is not enforced.

The Previewed Requests counts are included in the preceding Requests count metric because all requests are expected to match a configured non-preview rule or the default rule.

Filtering dimensions for security policies

Metrics are aggregated for each Google Cloud Armor security policy. You can filter aggregated metrics by the following dimensions:

Dimension Description
backend_target_name Track requests based on the backend target (service) that the traffic was destined to.
blocked Track requests based on whether they were allowed or blocked by the security policy rules.

What's next