Enabling scans from static IPs

This page describes how to enable the Web Security Scanner scans from static IPs feature. When you enable this feature, Web Security Scanner uses predictable IP addresses to scan your public Compute Engine and Google Kubernetes Engine (GKE) applications. This feature is currently in alpha, and the Web Security Scanner IP addresses might change in a future release.

Before you begin

To use the Web Security Scanner scans from static IPs feature, you need:

  • A public Compute Engine or GKE application. This feature currently doesn't support App Engine applications.
  • A scan created with no authentication, or with Google account authentication. This feature currently doesn't support scans that use non-Google account authentication.

Setting up a scan from static IPs

Step 1: Configuring the Firewall

After you sign up for the scans from static IPs alpha, configure your firewall to allow the Web Security Scanner IP addresses:

  1. Go to the Firewall rules page in the Cloud Console.
    Go to the Firewall rules page
  2. Click Select, and then select your project.
  3. On the Firewall rules page that appears, click Create Firewall Rule.
  4. On the Create a firewall rule page, set the following values:
    1. Name: enter web-security-scanner or a similar name.
    2. Priority: select a higher priority (lower number value) than all of the rules that deny egress traffic to your application.
    3. Source IP ranges: enter 34.66.18.0/26 and 34.66.114.64/26.
    4. Protocols and ports: select Allow all or specify the protocols and ports for your application. In most cases, you can select the tcp checkbox and then enter 80 and 443 for the ports.
  5. When you're finished setting values, click Create.

Step 2: Configuring the scan

After you configure your firewall to allow the Web Security Scanner predictable IP addresses, configure the scan to use pre-defined IPs:

  1. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  2. Click Select, and then select your project.
  3. Create a new scan or edit an existing scan.
  4. Select the Run scans from a pre-defined set of source IPs checkbox.
  5. Save the scan.

The next time the scan runs, it will scan the public Compute Engine and GKE applications that are behind the firewall.

What's next