Some or all of the information on this page might not apply to Trusted Cloud by S3NS. See Differences from Google Cloud for more details.

Example security policies

This page describes example security policy configurations for different types of load balancers and security policies.

Create security policies

You can use the Trusted Cloud console or the gcloud CLI to create security policies. The instructions in this section assume that you are configuring security policies to apply to an existing global external Application Load Balancer or classic Application Load Balancer and backend service. For an example of how to complete the fields, see Creating the example.

Console

Create Cloud Armor security policies and rules and attach a security policy to a backend service:

In the Trusted Cloud console, go to the Google Cloud Armor policies page.

Go to Google Cloud Armor policies
Click Create policies.
In the Name field, enter the name of your policy.
Optional: Enter a description of the policy.
For Policy type choose Backend security policy or Edge security policy.
For Default rule action, select Allow for a default rule that permits access, or select Deny for a default rule that forbids access to an IP address or IP address range.

The default rule is the lowest priority rule that takes effect only if no other rule applies.
If you are configuring a Deny rule, select a Deny status message. This is the error message that Cloud Armor displays if a user without access tries to gain access.
Regardless of the type of rule that you are configuring, click Next step.

Add more rules:

Click Add rule.
Optional: Enter a description for the rule.
Select the mode:
- Basic mode: allow or deny traffic based on IP addresses or IP ranges.
- Advanced mode: allow or deny traffic based on rule expressions.
In the Match field, specify the conditions under which the rule applies:
- Basic mode: enter IP addresses or IP ranges to match in the rule.
- Advanced mode: enter an expression or subexpressions to evaluate against incoming requests. For information about how to write the expressions, see the Configure custom rules language attributes.
For Action, select Allow or Deny to allow or deny traffic if the rule matches.
To enable preview mode, select the Enable checkbox. In preview mode, you can see how the rule behaves, but the rule is not enabled.
Enter the rule's Priority. This can be any positive integer from 0 to 2,147,483,646 inclusive. For more information about the evaluation order, see Rule evaluation order.
Click Done.
To add more rules, click Add rule and repeat the previous steps. Otherwise, click Next step.

Apply policy to targets:

Click Add Target.
In the Target list, select a target.
To add more targets, click Add Target.
Click Done.
Click Create policy.

gcloud

To create a new Cloud Armor security policy, use the gcloud compute security-policies create command.

In the type field, use CLOUD_ARMOR to create a backend security policy or CLOUD_ARMOR_EDGE to create an edge security policy. The type flag is optional; if no type is specified, a backend security policy is created by default:
```
gcloud compute security-policies create NAME \
   [--type=CLOUD_ARMOR|CLOUD_ARMOR_EDGE] \
   [--file-format=FILE_FORMAT | --description=DESCRIPTION] \
   [--file-name=FILE_NAME]
```
Replace the following:
- NAME: the name of the security policy
- DESCRIPTION: the description of the security policy
The following command updates a policy that you previously created, turns JSON parsing on, and changes the log level to VERBOSE:
```
gcloud compute security-policies update my-policy \
    --json-parsing=STANDARD \
    --log-level=VERBOSE
```

To add rules to a security policy, use the gcloud compute security-policies rules create PRIORITY command.

gcloud compute security-policies rules create PRIORITY  \
    [--security-policy POLICY_NAME] \
    [--description DESCRIPTION] \
    --src-ip-ranges IP_RANGE,... | --expression EXPRESSION \
    --action=[ allow | deny-403 | deny-404 | deny-502 ] \
    [--preview]

Replace PRIORITY with the priority assigned to the rule in the policy. For information about how rule priority works, see Rule evaluation order.

For example, the following command adds a rule to block traffic from IP address ranges 192.0.2.0/24 and 198.51.100.0/24. The rule has priority 1000, and it is a rule in a policy called my-policy.

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
    --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
    --action "deny-403"

With the --preview flag added, the rule is added to the policy, but not enforced, and any traffic that triggers the rule is only logged.

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --description "block traffic from 192.0.2.0/24 and 198.51.100.0/24" \
    --src-ip-ranges "192.0.2.0/24","198.51.100.0/24" \
    --action "deny-403" \
    --preview

Use the --expression flag to specify a custom condition. For more information, see Configure custom rules language attributes. The following command adds a rule to allow traffic from the IP address 1.2.3.4 and contains the string example in the user-agent header:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "inIpRange(origin.ip, '1.2.3.4/32') && has(request.headers['user-agent']) && request.headers['user-agent'].contains('example')" \
    --action allow \
    --description "Block User-Agent 'example'"

The following command adds a rule to block requests if the request's cookie contains a specific value:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "has(request.headers['cookie']) && request.headers['cookie'].contains('cookie_name=cookie_value')" \
    --action "deny-403" \
    --description "Cookie Block"

The following command adds a rule to block requests from the region AU:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "origin.region_code == 'AU'" \
    --action "deny-403" \
    --description "AU block"

The following command adds a rule to block requests from the region AU that are not in the specified IP range:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "origin.region_code == 'AU' && !inIpRange(origin.ip, '1.2.3.0/24')" \
    --action "deny-403" \
    --description "country and IP block"

The following command adds a rule to block requests with a URI that matches a regular expression:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "request.path.matches('/example_path/')" \
    --action "deny-403" \
    --description "regex block"

The following command adds a rule to block requests if the Base64 decoded value of the user-id header contains a specific value:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "has(request.headers['user-id']) && request.headers['user-id'].base64Decode().contains('myValue')" \
    --action "deny-403" \
    --description "country and IP block"

The following command adds a rule that uses a preconfigured expression set to mitigate SQLi attacks:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredWaf('sqli-stable')" \
    --action "deny-403"

The following command adds a rule that uses a preconfigured expression to allow access from all IP addresses on a named IP address list:

gcloud compute security-policies rules create 1000 \
    --security-policy my-policy \
    --expression "evaluatePreconfiguredWaf('sourceiplist-fastly')" \
    --action "allow"

Configure security policies for regional external Application Load Balancers

This section contains information about configuring regionally scoped Cloud Armor security policies for regional external Application Load Balancers.

Protect regionally load balanced workloads

Use the following steps to configure a security policy to protect your regionally scoped backend service:

Create a regionally scoped security policy.

gcloud compute security-policies create POLICY_NAME \
   --type=CLOUD_ARMOR \
   --region=REGION

Attach the regionally scoped security policy to a regionally scoped backend service. Replace BACKEND_NAME with the name of your existing regionally scoped backend service.
```
gcloud compute backend-services update BACKEND_NAME \
   --security-policy=POLICY_NAME \
   --region=REGION
```

Apply a regionally scoped Cloud Armor security policy

Consider an example in which you are a security administrator who wants to satisfy a residency requirement that all of your backend workloads and WAF rules are deployed in a specific region. Assume that you have done the following beforehand:

You created regionally scoped load-balanced backend services in the region.
You disabled any existing globally scoped security policies in your deployment.
You created and attached a regionally scoped security policy in the same region (as in the previous section).

You can add WAF rules and other advanced rules to your policy while satisfying the requirement by using the following example commands:

Add a WAF rule to the policy:

gcloud compute security-policies rules create 1000 --action=deny-404 \
  --expression="evaluatePreconfiguredWaf('xss-v33-stable', ['owasp-crs-v030301-id941100-xss', 'owasp-crs-v030301-id941160-xss'])" \
  --security-policy=POLICY_NAME \
  --region=REGION

Add an advanced rule to the policy:

gcloud compute security-policies rules create 1000 --action=allow \
  --expression="has(request.headers['cookie']) && request.headers['cookie'].contains('80=EXAMPLE')" \
  --security-policy=POLICY_NAME \
  --region=REGION

Add a rate limiting rule to the policy:

gcloud compute security-policies rules create 1000 --action=throttle \
  --src-ip-ranges="1.1.1.1/32" \
  --rate-limit-threshold-count=1000 \
  --rate-limit-threshold-interval-sec=120 \
  --conform-action="allow" \
  --exceed-action="deny-429" \
  --enforce-on-key=IP \
  --ban-duration-sec=999 \
  --ban-threshold-count=5000 \
  --ban-threshold-interval-sec=60 \
  --security-policy=POLICY_NAME \
  --region=REGION

What's next

Configure Cloud Armor security policies
Learn more about rate limiting.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-07 UTC.