Configuring Threat Intelligence

Google Cloud Armor Threat Intelligence lets you secure your traffic by allowing or blocking traffic to your external HTTP(S) load balancers based on several categories of threat intelligence data. Threat Intel data is divided into the following categories:

  • Tor exit nodes: Tor is open-source software which enables anonymous communication. To exclude users who hide their identity, lock the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
  • Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
  • Search engines: IP addresses that you can allow to enable site indexing.
  • Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications, or allowed if your service uses other public clouds.

To use Threat Intel, you define security policy rules that allow or block traffic based on some or all of these categories using the evaluateThreatIntelligence match expression, along with a feed name that represents one of the above categories.

Configure Threat Intel

To use Threat Intel, you configure security policy rules using the evaluateThreatIntelligence('FEED_NAME') match expression, providing a FEED_NAME based on the category that you want to allow or block. Information within each feed is continually updated, protecting services from new threats without additional configuration steps. The valid arguments are as follows:

Feed name Description
iplist-tor-exit-nodes Matches Tor exit nodes' IP addresses
iplist-known-malicious-ips Matches IP addresses known to attack web applications
iplist-search-engines-crawlers Matches IP addresses of search engine crawlers
iplist-public-clouds Matches IP addresses belonging to public clouds

You can configure a new security policy rule using the following gcloud command, with a FEED_NAME from the previous table and any ACTION (like allow or deny).

gcloud beta compute security-policies rules create 1000 \
    --security-policy=NAME \
    --expression="evaluateThreatIntelligence('FEED_NAME')" \

If you want to exclude an IP address or IP address range that Threat Intel might otherwise block from evaluation, you can add the address to the exclusion list using the following expression, replacing <var>ADDRESS</var> with the address or address range that you want to exclude.

evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])

What's next