Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring. You can use monitoring metrics to check whether your policies are working as intended or to troubleshoot problems. For example, you can view the traffic that was blocked or allowed for each backend service. You can monitor the metrics of a single security policy (which can be applied to multiple backend services) or a single backend service.
In addition to the predefined dashboards in Monitoring, you can create custom dashboards, set up alert policies, and query the metrics through the Cloud Monitoring API.
On the Monitoring dashboard, Open incidents are driven by the alerting policies that you configure. Alerts appear as incidents on the dashboard when the alert is triggered. These are general functions of Monitoring.
There are no Monitoring logs for Security Command Center.
For complete information about Monitoring, see the Cloud Monitoring documentation.
Viewing the monitoring dashboard
You can monitor the status and request traffic volumes (allowed, denied, or previewed) on a per-policy and per-backend-service basis by using the preconfigured Network Security Policies resource dashboard in Cloud Monitoring.
To view the dashboard, follow these steps:
In the Google Cloud Console, go to Monitoring.
Select Dashboards, and then select the dashboard named Network Security Policies.
Click the name of your policy.
When you access the dashboard, you see overall metrics on the right. These include request volume metrics for requests evaluated by a security policy broken down by outcome: allowed, denied, previewed allowed, previewed denied. Metrics can be observed at varying levels of granularity, including per-project, per-policy, and per-backend-service.
When you click a policy name, you see details about the policy.
Defining custom dashboards
To create custom Monitoring dashboards over Network Security Policy metrics, follow these steps:
In the Google Cloud Console, go to Monitoring.
Click Dashboards, and then click Create dashboard.
Create a name for your dashboard, and then click Confirm.
Click Add chart.
Give the chart a title.
Select metrics and filters. For metrics, the resource type is Network Security Policy.
Defining alerting policies
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
To create an alerting policy that monitors one or more Network Security Policy resources, follow these steps:
- In the Google Cloud Console, go to the Monitoring page.
If you have never used Cloud Monitoring, then on your first access of Monitoring in the Google Cloud Console, a Workspace is automatically created and your project is associated with that Workspace. Otherwise, if your project isn't associated with a Workspace, then a dialog appears and you can either create a Workspace or add your project to an existing Workspace. We recommend that you create a Workspace. After you make your selection, click Add.
- In the Monitoring navigation pane, select notificationsAlerting, and then select Create policy.
- Click Add condition:
- The settings in the Target pane specify the resource and metric to be monitored. In the Find resource type and metric field, select the resource Network Security Policy. Next, select a metric from the metrics list.
- The settings in the Configuration pane of the alerting policy determine when the alert is triggered. Most fields in this pane are populated with default values. For more information about the fields in the pane, see Configuration in the Alerting policies documentation.
- Click Add.
- To advance to the notifications section, click Next.
- Optional: To add notifications to your alerting policy, click
Notification channels. In the dialog, select one or more notification
channels from the menu, and then click OK.
If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click autorenewRefresh, and then select the notification channels to add to the alerting policy.
- To advance to the documentation section, click Next.
- Click Name and enter a name for the alerting policy.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Save.
Metric reporting frequency and retention
Metrics for the Google Cloud Armor security policies are exported to Cloud Monitoring in one-minute granularity batches. Monitoring data is retained for six weeks. The dashboard provides data analysis in the following default intervals:
- 1H (one hour)
- 6H (six hours)
- 1D (one day)
- 1W (one week)
- 6W (six weeks)
Using the controls in the upper-right corner of the Monitoring page, you can manually request analysis in any interval from 6W to 1 minute.
Monitoring metrics for security policies
The following metrics are reported on the Network Security Policies dashboard:
|Requests count||The number of requests processed by a Google Cloud Armor security policy.|
|Previewed Requests count||
The number of requests that match preview-mode rules. Previewed Requests are logged, but the corresponding action is not enforced.
The Previewed Requests counts are included in the preceding Requests count metric because all requests are expected to match a configured non-preview rule or the default rule.
Filtering dimensions for security policies
Metrics are aggregated for each Google Cloud Armor security policy. You can filter aggregated metrics by the following dimensions:
|backend_target_name||Track requests based on the backend target (service) that the traffic was destined to.|
|blocked||Track requests based on whether they were allowed or blocked by the security policy rules.|