Google Cloud Armor Threat Intelligence lets you secure your traffic by allowing or blocking traffic to your external HTTP(S) load balancers based on several categories of threat intelligence data. Threat Intelligence data is divided into the following categories:
- Tor exit nodes: Tor is open-source software which enables anonymous communication. To exclude users who hide their identity, block the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
- Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
- Search engines: IP addresses that you can allow to enable site indexing.
- Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications, or allowed if your service uses other public clouds.
To use Threat Intelligence, you define security policy rules that allow or block
traffic based on some or all of these categories by using the
evaluateThreatIntelligence match expression along with a feed name that
represents one of the preceding categories.
Configure Threat Intelligence
To use Threat Intelligence, you configure security policy rules using the
expression, providing a FEED_NAME based on
the category that you want to allow or block. Information within each feed is
continually updated, protecting services from new threats without additional
configuration steps. The valid arguments are as follows:
||Matches Tor exit nodes' IP addresses|
||Matches IP addresses known to attack web applications|
||Matches IP addresses of search engine crawlers|
||Matches IPv4 and IPv6 address ranges of Cloudflare proxy services|
||Matches IP address ranges of Fastly proxy services|
||Matches IP address ranges of Imperva proxy services|
||Matches IP addresses belonging to public clouds
You can configure a new security policy rule using the following
with a FEED_NAME from the previous table and any ACTION
throttle. For more information about rule actions,
see policy types.
gcloud compute security-policies rules create 1000 \ --security-policy=NAME \ --expression="evaluateThreatIntelligence('FEED_NAME')" \ --action="ACTION"
If you want to exclude an IP address or IP address range that Threat Intelligence
might otherwise block from evaluation, you can add the address to the exclusion list using the
following expression, replacing
<var>ADDRESS</var> with the address or address
range that you want to exclude.
- Configure Google Cloud Armor security policies
- View pricing for Managed Protection tiers
- Troubleshoot issues