Configuring Threat Intelligence

Google Cloud Armor Threat Intelligence lets Google Cloud Armor Managed Protection Plus subscribers secure their traffic by allowing or blocking traffic to their external HTTP(S) load balancers based on several categories of threat intelligence data. Threat Intelligence data is divided into the following categories:

  • Tor exit nodes: Tor is open-source software that enables anonymous communication. To exclude users who hide their identity, block the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
  • Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
  • Search engines: IP addresses that you can allow to enable site indexing.
  • Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications or allowed if your service uses other public clouds.

To use Threat Intelligence, you define security policy rules that allow or block traffic based on some or all of these categories by using the evaluateThreatIntelligence match expression along with a feed name that represents one of the preceding categories. In addition, you must subscribe to Managed Protection Plus. For more information about Managed Protection, see the Managed Protection overview.

Configure Threat Intelligence

To use Threat Intelligence, you configure security policy rules by using the evaluateThreatIntelligence('FEED_NAME') match expression, providing a FEED_NAME based on the category that you want to allow or block. Information within each feed is continually updated, protecting services from new threats without additional configuration steps. The valid arguments are as follows.

Feed name Description
iplist-tor-exit-nodes Matches Tor exit nodes' IP addresses
iplist-known-malicious-ips Matches IP addresses known to attack web applications
iplist-search-engines-crawlers Matches IP addresses of search engine crawlers
iplist-cloudflare Matches IPv4 and IPv6 address ranges of Cloudflare proxy services
iplist-fastly Matches IP address ranges of Fastly proxy services
iplist-imperva Matches IP address ranges of Imperva proxy services
iplist-public-clouds
  • iplist-public-clouds-aws
  • iplist-public-clouds-azure
  • iplist-public-clouds-gcp
Matches IP addresses belonging to public clouds
  • Matches IP address ranges used by Amazon Web Services
  • Matches IP address ranges used by Microsoft Azure
  • Matches IP address ranges used by Google Cloud

You can configure a new security policy rule by using the following gcloud command, with a FEED_NAME from the previous table and any ACTION like allow, deny, or throttle. For more information about rule actions, see policy types.

gcloud compute security-policies rules create 1000 \
    --security-policy=NAME \
    --expression="evaluateThreatIntelligence('FEED_NAME')" \
    --action="ACTION"

If you want to exclude an IP address or IP address range that Threat Intelligence might otherwise block from evaluation, you can add the address to the exclusion list by using the following expression. Replace ADDRESS with the address or address range that you want to exclude.

evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])

What's next