Google Cloud: Traffic blacklisting using Cloud Armor

Share At:

Sicurezza Utimaco nel listino di DotForce - Top Trade

Overview

Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load balanced backend services or backend buckets. Each security policy is made up of a set of rules that filter traffic based on conditions such as an incoming request’s IP address, IP range, region code, or request headers.

Google Cloud Armor security policies are available only for backend services behind an external HTTP(S) load balancer. The load balancer can be in Premium Tier or Standard Tier.

The backends to the backend service can be any of the following:

When you use Google Cloud Armor to protect a hybrid deployment or a multi-cloud architecture, the backends must be internet NEGs. Google Cloud Armor also protects serverless NEGs when traffic is routed through a load balancer. To ensure that only traffic that has been routed through your load balancer reaches your serverless NEG, see Ingress controls.

Lab Details:

  1. This lab walks you through Traffic blacklisting using Cloud Armor.
  2. You will create a Cloud Armor Security Policy to block the traffic.

Lab Tasks:

  1. Creating an HTTP Load Balancer.
  2. Creating a Test Instance.
  3. Creating a Security Policy.
  4. Testing the Output.

Creating an Instance Template

  1. Click on the hamburger icon on the top left corner 
  2. Click on Compute Engine under Compute Section                                                                                                                                         
  3. In the left sidebar, click on Instance templates                                                                                                                                                           
  4. Click on Create Instance Template from the top bar.
  1. Enter any Instance Template name like cloudblogg-instance-template
  2. Choose the machine series as N1                                                                                                                                
  3. Choose the machine type as n1-standard-1
  1. Check the Allow HTTP Traffic firewall rule to allow HTTP Traffic
  1. Expand the given section to write the automation script
  1. Write the below script in the startup script input box
#! /bin/bash
apt-get update -y
apt-get install apache2 -y
apt-get install php7.0 -y
mv /var/www/html/index.html /var/www/html/index.php
cat <<EOF > /var/www/html/index.php
<html><body><h1>Welcome to Whizlabs</h1>
</body></html>
EOF
  1. Click on Create.

Creating an Instance Group

  1. In the left sidebar, click on Instance groups 
  1. Click on Create Instance Group 
  1. Enter any name like cloudblogg-instance-group.
  2. Choose the location a Single Zone and region as us-central1                                           
  1. Choose the instance template which you created in previous steps                                     
  2. Click on the edit button as shown to change the configuration settings
  1. Change the target CPU Utilization to 80                                                                        
  1. Enter the minimum and a maximum number of instances as 1 and 5 resp.
  1. Click on Create.

Creating a VM instance

  1. In the left sidebar, click on VM Instances    
  1. Click on Create Instance 

3. Enter any instance name like armor-instance. This is your test instance.

Choose the machine series as N1

                                                                           

4. Choose the machine type as n1-standard-1

5. Click on Create.

You can see the listed instance, click on the SSH button and keep the SSH window open, you will use this SSH window later to test the output

Creating a HTTP Load Balancer

  1. Click on the hamburger icon on the top left corner 

2. Click on Network services under the networking section 

                                                                                                

3. Click on Create Load Balancer

                                                                                                   

4. Choose HTTP(s) Load Balancing and click on Start configuration

     

5. Choose the Internet-facing option and click on continue.                                                                                

6. Enter the load balancer name like cloudblogg-lb

7. Click on Backend Configuration.

In backend configuration, click on the shown drop-down menu.

8. Click on Create a backend service

9. Enter any name like cloudblogg-backend.

10. Choose the instance group which you created earlier                                               

11. Enter the port number as 80 and 8080

12. Click on the health check drop-down menu

13. Click on Create a health check

                                                                  

14. Enter any name like cloudblogg-health. Keep the other option as is and click on Save.

15. Click on Create.

16. Click OK.

17. Leave host and path rules as is.

18. Choose frontend configuration

                                                    

19. Enter any name like cloudblogg-frontend.

20. Choose the protocol as HTTP and port80and keep the other options as is and click on Done    

21. Click on Create.

22. Click on the load balancer created and click on the load balancer name, make a note of IP address of the load balancer listed. 

Note: Please wait for a few minutes until you see the ready CHECK mark like above.

23. Navigate to the SSH window of VM instance called “armor-instance” we had earlier created . Enter the command as given below. You will see the output below till now nothing is blocked. 

curl <ip_address of Load Balancer>

Configuring Cloud Armor and Testing Security Policy

  1. Click on the hamburger icon on the top left corner 

2. Click on Network security under the networking section

3. Click on Create Policy                                                                                                                 

4. Enter any policy name like forbid-policy

5. Choose the default rule action as deny and status as 403 Forbidden                                                   

6. Click on Add Target in Apply policy to targets section                                                                                                           

7. Choose the type as Load Balancer backend and Select the target as your Load Balancer                          

8. Click on Create Policy. 

9. Navigate to the SSH window. Enter the command as given below. You will see the output below as forbidden. 

curl <ip_address of Load balancer>
curl 35.208.103.187
This image has an empty alt attribute; its file name is image-192-1024x62.png

Note: This might take around 2-3 minutes to propagate the changes. You may see a message Welcome to Whizlabs, but keep running the command again.

Completion and Conclusion:

  1. In this lab, you have created an HTTP Load Balancer
  2. You have created a Test Instance.
  3. You have created a Cloud Armor Security Policy.
  4. You have tested the final output.

Happy Learning !!!


Share At:
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Back To Top

Contact Us