This page describes example security policy configurations for different types of load balancers and security policies.
Example security policies
Create security policies
You can use the Trusted Cloud console or the gcloud CLI to create security policies. The instructions in this section assume that you are configuring security policies to apply to an existing global external Application Load Balancer or classic Application Load Balancer and backend service. For an example of how to complete the fields, see Creating the example.
Console
Create Google Cloud Armor security policies and rules and attach a security policy to a backend service:
In the Trusted Cloud console, go to the Google Cloud Armor policies page.
Click Create policies.
In the Name field, enter the name of your policy.
Optional: Enter a description of the policy.
For Policy type choose Backend security policy or Edge security policy.
For Default rule action, select Allow for a default rule that permits access, or select Deny for a default rule that forbids access to an IP address or IP address range.
The default rule is the lowest priority rule that takes effect only if no other rule applies.
If you are configuring a Deny rule, select a Deny status message. This is the error message that Google Cloud Armor displays if a user without access tries to gain access.
Regardless of the type of rule that you are configuring, click Next step.
Add more rules:
- Click Add rule.
- Optional: Enter a description for the rule.
Select the mode:
- Basic mode: allow or deny traffic based on IP addresses or IP ranges.
- Advanced mode: allow or deny traffic based on rule expressions.
In the Match field, specify the conditions under which the rule applies:
- Basic mode: enter IP addresses or IP ranges to match in the rule.
- Advanced mode: enter an expression or subexpressions to evaluate against incoming requests. For information about how to write the expressions, see the Configure custom rules language attributes.
For Action, select Allow or Deny to allow or deny traffic if the rule matches.
To enable preview mode, select the Enable checkbox. In preview mode, you can see how the rule behaves, but the rule is not enabled.
Enter the rule's Priority. This can be any positive integer from 0 to 2,147,483,646 inclusive. For more information about the evaluation order, see Rule evaluation order.
Click Done.
To add more rules, click Add rule and repeat the previous steps. Otherwise, click Next step.
Apply policy to targets:
- Click Add Target.
- In the Target list, select a target.
- To add more targets, click Add Target.
- Click Done.
- Click Create policy.
gcloud
To create a new Google Cloud Armor security policy, use the
gcloud compute security-policies createcommand.In the
typefield, useCLOUD_ARMORto create a backend security policy orCLOUD_ARMOR_EDGEto create an edge security policy. Thetypeflag is optional; if no type is specified, a backend security policy is created by default:gcloud compute security-policies create NAME \ [--type=CLOUD_ARMOR|CLOUD_ARMOR_EDGE] \ [--file-format=FILE_FORMAT | --description=DESCRIPTION] \ [--file-name=FILE_NAME]
Replace the following:
NAME: the name of the security policyDESCRIPTION: the description of the security policy
The following command updates a policy that you previously created, turns JSON parsing on, and changes the log level to
VERBOSE:gcloud compute security-policies update my-policy \ --json-parsing=STANDARD \ --log-level=VERBOSETo add rules to a security policy, use the
gcloud compute security-policies rules create PRIORITYcommand.gcloud compute security-policies rules create PRIORITY \ [--security-policy POLICY_NAME] \ [--description DESCRIPTION] \ --src-ip-ranges IP_RANGE,... | --expression EXPRESSION \ --action=[ allow | deny-403 | deny-404 | deny-502 ] \ [--preview]Replace
PRIORITYwith the priority assigned to the rule in the policy. For information about how rule priority works, see Rule evaluation order.For example, the following command adds a rule to block traffic from IP address ranges
192.0.2.0/24and198.51.100.0/24. The rule has priority 1000, and it is a rule in a policy calledmy-policy.gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \ --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \ --action "deny-403"With the
--previewflag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged.gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \ --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \ --action "deny-403" \ --previewUse the
--expressionflag to specify a custom condition. For more information, see Configure custom rules language attributes. The following command adds a rule to allow traffic from the IP address1.2.3.4and contains the stringexamplein the user-agent header:gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('example')" \ --action allow \ --description "Block User-Agent 'example'"The following command adds a rule to block requests if the request's cookie contains a specific value:
gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')" \ --action "deny-403" \ --description "Cookie Block"The following command adds a rule to block requests from the region
AU:gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "origin.region_code == 'AU'" \ --action "deny-403" \ --description "AU block"The following command adds a rule to block requests from the region
AUthat are not in the specified IP range:gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \ --action "deny-403" \ --description "country and IP block"The following command adds a rule to block requests with a URI that matches a regular expression:
gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "request.path.matches('/example_path/')" \ --action "deny-403" \ --description "regex block"The following command adds a rule to block requests if the Base64 decoded value of the
user-idheader contains a specific value:gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \ --action "deny-403" \ --description "country and IP block"The following command adds a rule that uses a preconfigured expression set to mitigate SQLi attacks:
gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "evaluatePreconfiguredWaf('sqli-stable')" \ --action "deny-403"The following command adds a rule that uses a preconfigured expression to allow access from all IP addresses on a named IP address list:
gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "evaluatePreconfiguredWaf('sourceiplist-fastly')" \ --action "allow"
Configure security policies for regional external Application Load Balancers
This section contains information about configuring regionally scoped Google Cloud Armor security policies for regional external Application Load Balancers.
Protect regionally load balanced workloads
Use the following steps to configure a security policy to protect your regionally scoped backend service:
Create a regionally scoped security policy.
gcloud compute security-policies create POLICY_NAME \ --type=CLOUD_ARMOR \ --region=REGION
Attach the regionally scoped security policy to a regionally scoped backend service. Replace
BACKEND_NAMEwith the name of your existing regionally scoped backend service.gcloud compute backend-services update BACKEND_NAME \ --security-policy=POLICY_NAME \ --region=REGION
Apply a regionally scoped Google Cloud Armor security policy
Consider an example in which you are a security administrator who wants to satisfy a residency requirement that all of your backend workloads and WAF rules are deployed in a specific region. Assume that you have done the following beforehand:
- You created regionally scoped load-balanced backend services in the region.
- You disabled any existing globally scoped security policies in your deployment.
- You created and attached a regionally scoped security policy in the same region (as in the previous section).
You can add WAF rules and other advanced rules to your policy while satisfying the requirement by using the following example commands:
Add a WAF rule to the policy:
gcloud compute security-policies rules create 1000 --action=deny-404 \ --expression="evaluatePreconfiguredWaf('xss-v33-stable', ['owasp-crs-v030301-id941100-xss', 'owasp-crs-v030301-id941160-xss'])" \ --security-policy=POLICY_NAME \ --region=REGIONAdd an advanced rule to the policy:
gcloud compute security-policies rules create 1000 --action=allow \ --expression="has(request.headers['cookie']) && request.headers['cookie'].contains('80=EXAMPLE')" \ --security-policy=POLICY_NAME \ --region=REGIONAdd a rate limiting rule to the policy:
gcloud compute security-policies rules create 1000 --action=throttle \ --src-ip-ranges="1.1.1.1/32" \ --rate-limit-threshold-count=1000 \ --rate-limit-threshold-interval-sec=120 \ --conform-action="allow" \ --exceed-action="deny-429" \ --enforce-on-key=IP \ --ban-duration-sec=999 \ --ban-threshold-count=5000 \ --ban-threshold-interval-sec=60 \ --security-policy=POLICY_NAME \ --region=REGION
What's next
- Configure Google Cloud Armor security policies
- Learn more about rate limiting.