Google Cloud Armor Threat Intelligence lets Google Cloud Armor Managed Protection Plus subscribers secure their traffic by allowing or blocking traffic to their external HTTP(S) load balancers based on several categories of threat intelligence data. Threat Intelligence data is divided into the following categories:
- Tor exit nodes: Tor is open-source software that enables anonymous communication. To exclude users who hide their identity, block the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
- Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
- Search engines: IP addresses that you can allow to enable site indexing.
- Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications or allowed if your service uses other public clouds.
To use Threat Intelligence, you define security policy rules that allow or block
traffic based on some or all of these categories by using the
evaluateThreatIntelligence match expression along with a feed name that
represents one of the preceding categories. In addition, you must subscribe to
Managed Protection Plus. For more information about Managed Protection,
see the
Managed Protection overview.
Configure Threat Intelligence
To use Threat Intelligence, you configure security policy rules by using the
evaluateThreatIntelligence('FEED_NAME') match
expression, providing a FEED_NAME based on
the category that you want to allow or block. Information within each feed is
continually updated, protecting services from new threats without additional
configuration steps. The valid arguments are as follows.
| Feed name | Description |
|---|---|
iplist-tor-exit-nodes |
Matches Tor exit nodes' IP addresses |
iplist-known-malicious-ips |
Matches IP addresses known to attack web applications |
iplist-search-engines-crawlers |
Matches IP addresses of search engine crawlers |
iplist-cloudflare |
Matches IPv4 and IPv6 address ranges of Cloudflare proxy services |
iplist-fastly |
Matches IP address ranges of Fastly proxy services |
iplist-imperva |
Matches IP address ranges of Imperva proxy services |
iplist-public-clouds
|
Matches IP addresses belonging to public clouds
|
You can configure a new security policy rule by using the following gcloud command,
with a FEED_NAME from the previous table and any
ACTION like allow, deny, or throttle.
For more information about rule actions,
see policy types.
gcloud compute security-policies rules create 1000 \
--security-policy=NAME \
--expression="evaluateThreatIntelligence('FEED_NAME')" \
--action="ACTION"
If you want to exclude an IP address or IP address range that Threat Intelligence
might otherwise block from evaluation, you can add the address to the exclusion
list by using the following expression. Replace ADDRESS
with the address or address range that you want to exclude.
evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])
What's next
- Configure Google Cloud Armor security policies
- View pricing for Managed Protection tiers
- Troubleshoot issues