Configuring Threat Intelligence

Stay organized with collections Save and categorize content based on your preferences.

Google Cloud Armor Threat Intelligence lets you secure your traffic by allowing or blocking traffic to your external HTTP(S) load balancers based on several categories of threat intelligence data. Threat Intelligence data is divided into the following categories:

  • Tor exit nodes: Tor is open-source software which enables anonymous communication. To exclude users who hide their identity, block the IP addresses of Tor exit nodes (points at which traffic exits the Tor network).
  • Known malicious IP addresses: IP addresses that need to be blocked to improve your application's security posture because attacks on web applications are known to originate there.
  • Search engines: IP addresses that you can allow to enable site indexing.
  • Public cloud IP address ranges: This category can be either blocked to avoid malicious automated tools from browsing web applications, or allowed if your service uses other public clouds.

To use Threat Intelligence, you define security policy rules that allow or block traffic based on some or all of these categories by using the evaluateThreatIntelligence match expression along with a feed name that represents one of the preceding categories.

Configure Threat Intelligence

To use Threat Intelligence, you configure security policy rules using the evaluateThreatIntelligence('FEED_NAME') match expression, providing a FEED_NAME based on the category that you want to allow or block. Information within each feed is continually updated, protecting services from new threats without additional configuration steps. The valid arguments are as follows:

Feed name Description
iplist-tor-exit-nodes Matches Tor exit nodes' IP addresses
iplist-known-malicious-ips Matches IP addresses known to attack web applications
iplist-search-engines-crawlers Matches IP addresses of search engine crawlers
iplist-cloudflare Matches IPv4 and IPv6 address ranges of Cloudflare proxy services
iplist-fastly Matches IP address ranges of Fastly proxy services
iplist-imperva Matches IP address ranges of Imperva proxy services
iplist-public-clouds
  • iplist-public-clouds-aws
  • iplist-public-clouds-azure
  • iplist-public-clouds-gcp
Matches IP addresses belonging to public clouds
  • Matches IP address ranges used by Amazon Web Services
  • Matches IP address ranges used by Microsoft Azure
  • Matches IP address ranges used by Google Cloud

You can configure a new security policy rule using the following gcloud command, with a FEED_NAME from the previous table and any ACTION like allow, deny, or throttle. For more information about rule actions, see policy types.

gcloud compute security-policies rules create 1000 \
    --security-policy=NAME \
    --expression="evaluateThreatIntelligence('FEED_NAME')" \
    --action="ACTION"

If you want to exclude an IP address or IP address range that Threat Intelligence might otherwise block from evaluation, you can add the address to the exclusion list using the following expression, replacing <var>ADDRESS</var> with the address or address range that you want to exclude.

evaluateThreatIntelligence('iplist-known-malicious-ips', ['ADDRESS'])

What's next