To create a new Cloud Armor security policy, use the
gcloud compute security-policies create command.
In the type field, use CLOUD_ARMOR to create a backend security
policy or CLOUD_ARMOR_EDGE to create an edge security policy. The
type flag is optional; if no type is specified, a backend security
policy is created by default:
gcloud compute security-policies create NAME \
[--type=CLOUD_ARMOR|CLOUD_ARMOR_EDGE] \
[--file-format=FILE_FORMAT | --description=DESCRIPTION] \
[--file-name=FILE_NAME]
Replace the following:
NAME: the name of the security policy
FILE_FORMAT: the format of the file specified in --file-name; specify yaml or json
DESCRIPTION: the description of the security policy
FILE_NAME: the name of a file that contains either a YAML or JSON export of the security policy
The following command updates a policy that you previously created,
turns JSON parsing on, and changes the log level to VERBOSE:
gcloud compute security-policies update my-policy \
--json-parsing=STANDARD \
--log-level=VERBOSE
To add rules to a security policy, use the gcloud
compute security-policies rules create PRIORITY command.
gcloud compute security-policies rules create PRIORITY \
[--security-policy POLICY_NAME] \
[--description DESCRIPTION] \
--src-ip-ranges IP_RANGE,... | --expression EXPRESSION \
--action=[ allow | deny-403 | deny-404 | deny-502 ] \
[--preview]
Replace the following:
PRIORITY: the priority to assign to the rule in
the policy. For information about how rule priority works, see
Rule evaluation order
POLICY_NAME: the name of your security policy
DESCRIPTION: a description of the rule
IP_RANGE,...: a comma-separated list of IP address ranges
EXPRESSION: a Cloud Armor rules language expression
For example, the following command adds a rule to block traffic from
IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has
priority 1000, and it is a rule in a policy called my-policy.
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
--src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
--action "deny-403"
With the --preview flag added, the rule is added to the policy, but
not enforced, and any traffic that triggers the rule is only logged.
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
--src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
--action "deny-403" \
--preview
Use the --expression flag to specify a custom condition. For more
information, see
Configure custom rules language attributes.
The following command adds a rule to allow traffic from the IP address
1.2.3.4 and contains the string example in the user-agent header:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('example')" \
--action allow \
--description "Block User-Agent 'example'"
The following command adds a rule to block requests if the request's
cookie contains a specific value:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')" \
--action "deny-403" \
--description "Cookie Block"
The following command adds a rule to block requests from the region
AU:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "origin.region_code == 'AU'" \
--action "deny-403" \
--description "AU block"
The following command adds a rule to block requests from the region AU
that are not in the specified IP range:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \
--action "deny-403" \
--description "country and IP block"
The following command adds a rule to block requests with a URI that
matches a regular expression:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "request.path.matches('/example_path/')" \
--action "deny-403" \
--description "regex block"
The following command adds a rule to block requests if the Base64
decoded value of the user-id header contains a specific value:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \
--action "deny-403" \
--description "country and IP block"
The following command adds a rule that uses a preconfigured expression
set to mitigate SQLi attacks:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "evaluatePreconfiguredWaf('sqli-v422-stable')" \
--action "deny-403"
The following command adds a rule that uses a preconfigured expression
to allow access from all IP addresses on a named IP address list:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression "evaluatePreconfiguredWaf('sourceiplist-fastly')" \
--action "allow"