Google Cloud Armor Threat Intelligence lets Google Cloud Armor Enterprise subscribers secure their traffic by allowing or blocking traffic to their external Application Load Balancers based on several categories of threat intelligence data. Threat Intelligence data is divided into the following categories:
- Tor exit nodes: Tor is open-source software that enables anonymous communication. To exclude users who hide their identity, block the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
- Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
- Search engines: IP addresses that you can allow to enable site indexing.
- VPN providers: IP addresses that are used by low-reputation VPN providers. This category can be blocked to deny attempts to circumnavigate IP address-based rules.
- Anonymous proxies: IP addresses that are used by known anonymous proxies.
- Crypto miners: IP addresses that are used by known cryptocurrency mining websites.
- Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications or allowed if your service uses other public clouds.
To use Threat Intelligence, you define security policy rules that allow or block
traffic based on some or all of these categories by using the
evaluateThreatIntelligence match expression along with a feed name that
represents one of the preceding categories. In addition, you must subscribe to
Cloud Armor Enterprise. For more information about Cloud Armor Enterprise,
see the
Cloud Armor Enterprise overview.
Configure Threat Intelligence
To use Threat Intelligence, you configure security policy rules by using the
evaluateThreatIntelligence('FEED_NAME') match
expression, providing a FEED_NAME based on
the category that you want to allow or block. Information within each feed is
continually updated, protecting services from new threats without additional
configuration steps. The valid arguments are as follows.
| Feed name | Description |
|---|---|
iplist-tor-exit-nodes |
Matches Tor exit nodes' IP addresses |
iplist-known-malicious-ips |
Matches IP addresses known to attack web applications |
iplist-search-engines-crawlers |
Matches IP addresses of search engine crawlers |
iplist-vpn-providers |
Matches IP address ranges that are used by low-reputation VPN providers |
iplist-anon-proxies |
Matches IP address ranges that belong to open anonymous proxies |
iplist-crypto-miners |
Matches IP address ranges that belong to crypto mining sites |
iplist-cloudflare |
Matches IPv4 and IPv6 address ranges of Cloudflare proxy services |
iplist-fastly |
Matches IP address ranges of Fastly proxy services |
iplist-imperva |
Matches IP address ranges of Imperva proxy services |
iplist-public-clouds
|
Matches IP addresses belonging to public clouds
|
You can configure a new security policy rule using the following gcloud command,
with a FEED_NAME from the previous table and any ACTION
like allow, deny, or throttle. For more information about rule actions,
see policy types.
gcloud compute security-policies rules create 1000 \
--security-policy=NAME \
--expression="evaluateThreatIntelligence('FEED_NAME')" \
--action="ACTION"
If you want to exclude an IP address or IP address range that Threat Intelligence
might otherwise block from evaluation, you can add the address to the exclusion list using the
following expression, replacing ADDRESS with the address or address
range that you want to exclude.
evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])
Use named IP address lists
Google Cloud Armor-named IP address lists let you reference lists of IP addresses and IP ranges that are maintained by third-party providers. You can configure named IP address lists within a security policy. You don't need to manually specify each IP address or IP range individually.
In this document, the terms IP address and IP address list include IP address ranges.
Named IP address lists are lists of IP addresses grouped under different names. The name typically refers to the provider. Named IP address lists are not subject to the quota limit on the number of IP addresses per rule.
Named IP address lists are not security policies. You incorporate them into a security policy by referencing them as expressions the same way that you reference a preconfigured rule.
For example, if a third-party provider has an IP address list of {ip1, ip2,
ip3....ip_N_} under the name provider-a, you can create a security rule that
allows all IP addresses that are in the provider-a list and excludes IP
addresses that are not in that list:
gcloud beta compute security-policies rules create 1000 \
--security-policy POLICY_NAME \
--expression "evaluatePreconfiguredExpr('provider-a')" \
--action "allow"
You cannot create your own custom named IP address lists. This feature is available only with respect to named IP address lists that are maintained by third-party providers that partner with Google. If such named IP address lists don't meet your needs, you can create a security policy where the rules allow or deny access to your resources based on the IP address from which requests originate. For more information, see Configure Google Cloud Armor security policies.
To use named IP address lists, you must subscribe to Google Cloud Armor Enterprise and enroll projects in Cloud Armor Enterprise. For more information, see Availability of named IP address lists.
Allowing traffic only from permitted third-party providers
A typical use case is to create an allowlist containing the IP addresses of a permitted third-party partner to ensure that only traffic coming from this partner can access the load balancer and the backends.
For example, CDN providers need to pull content from origin servers at regular intervals to distribute them to their own caches. A partnership with Google provides a direct connection between CDN providers and the Google network edge. CDN users on Google Cloud can use this direct connection during origin pulls. In this case, the CDN user might want to build a security policy that only allows traffic coming from that particular CDN provider.
In this example, a CDN provider publishes its IP address list
23.235.32.0/20, 43.249.72.0/22, ⋯,. A CDN user configures a security rule
that only allows traffic coming from these IP addresses. As a result, two
CDN provider access points are allowed (23.235.32.10 and 43.249.72.10) and
their traffic is therefore permitted. Traffic from the unauthorized access point
198.51.100.1 is blocked.
Simplifying configuration and management by using preconfigured rules
CDN providers often use IP addresses that are well-known and that many CDN users need to use. These lists change over time, as providers add, remove, and update the IP addresses.
Using a named IP address list in a security policy rule simplifies the process of configuring and managing IP addresses because Google Cloud Armor automatically synchronizes information from CDN providers on a daily basis. This eliminates the time-consuming and error-prone process of maintaining a large IP address list manually.
The following is an example of a preconfigured rule that allows all traffic from a provider:
evaluatePreconfiguredExpr('provider-a') => allow traffic
IP address list providers
The IP address list providers in the following table are supported for Google Cloud Armor. These are CDN providers that have partnered with Google. Their IP address lists are published through individual public URLs.
These partners provide separate lists of IPv4 addresses and IPv6 addresses. Google Cloud Armor uses the provided URLs to fetch lists, and then converts the lists into named IP address lists. You refer to the lists by the names in the table.
For example, the following code creates a rule in the security policy
POLICY_NAME with priority 750, incorporating the named IP
address list from Cloudflare and allowing access from those IP addresses:
gcloud beta compute security-policies rules create 750 \
--security-policy POLICY_NAME \
--expression "evaluatePreconfiguredExpr('sourceiplist-cloudflare')" \
--action "allow"
| Provider | URLs | IP address list name |
|---|---|---|
| Fastly | https://api.fastly.com/public-ip-list |
sourceiplist-fastly |
| Cloudflare |
|
sourceiplist-cloudflare |
| Imperva |
Access to Imperva's list requires a
|
sourceiplist-imperva |
To list the preconfigured named IP address lists, use this gcloud CLI command:
gcloud compute security-policies list-preconfigured-expression-sets \
--filter="id:sourceiplist"
This returns:
EXPRESSION_SET sourceiplist-fastly sourceiplist-cloudflare sourceiplist-imperva
Synchronizing IP address lists
Google Cloud Armor synchronizes IP address lists with each provider only when it detects changes that are in a valid format. Google Cloud Armor performs basic syntax validation on the IP addresses in all lists.
Availability of named IP address lists
Google Cloud Armor Enterprise is in general availability. The availability of named IP address lists from third parties is as follows:
- If you are subscribed to the Google Cloud Armor Enterprise tier, you are licensed to use named IP address lists in enrolled projects. You can create, update, and delete rules with named IP address lists.
- If your Google Cloud Armor Enterprise tier subscription expires, or you otherwise return to Standard tier, you cannot add or modify rules with named IP address lists, but you can delete existing rules and update rules to remove a named IP list.
- For projects that already include rules with named IP address lists and that you did not enroll in Google Cloud Armor Enterprise, you can continue to use, update, and delete existing rules with named IP address lists. In such projects, you can create new rules that incorporate named IP address lists.
What's next
- Configure Google Cloud Armor security policies
- View pricing for Cloud Armor Enterprise tiers
- Troubleshoot issues