SecurityPolicy

Represents a Trusted Cloud Armor security policy resource.

Only external backend services that use load balancers can reference a security policy. For more information, see Trusted Cloud Armor security policy overview.

JSON representation 
{
  "userDefinedFields": [
    {
      object (UserDefinedField)
    }
  ],
  "kind": string,
  "id": string,
  "creationTimestamp": string,
  "name": string,
  "description": string,
  "rules": [
    {
      object (Rule)
    }
  ],
  "adaptiveProtectionConfig": {
    object (AdaptiveProtectionConfig)
  },
  "ddosProtectionConfig": {
    object (DdosProtectionConfig)
  },
  "advancedOptionsConfig": {
    object (AdvancedOptionsConfig)
  },
  "recaptchaOptionsConfig": {
    object (RecaptchaOptionsConfig)
  },
  "fingerprint": string,
  "selfLink": string,
  "type": enum (SecurityPolicyType),
  "labels": {
    string: string,
    ...
  },
  "labelFingerprint": string,
  "region": string
}
Fields
userDefinedFields[]

object (UserDefinedField)

Definitions of user-defined fields for CLOUD_ARMOR_NETWORK policies. A user-defined field consists of up to 4 bytes extracted from a fixed offset in the packet, relative to the IPv4, IPv6, TCP, or UDP header, with an optional mask to select certain bits. Rules may then specify matching values for these fields.

Example:

userDefinedFields: - name: "ipv4_fragment_offset" base: IPV4 offset: 6 size: 2 mask: "0x1fff"
kind

string

[Output only] Type of the resource. Always

compute#securityPolicy

for security policies
id

string (uint64 format)

[Output Only] The unique identifier for the resource. This identifier is defined by the server.
creationTimestamp

string

[Output Only] Creation timestamp in RFC3339 text format.
name

string

Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression [a-z]([-a-z0-9]*[a-z0-9])? which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
description

string

An optional description of this resource. Provide this property when you create the resource.
rules[]

object (Rule)

A list of rules that belong to this policy. There must always be a default rule which is a rule with priority 2147483647 and match all condition (for the match condition this means match "*" for srcIpRanges and for the networkMatch condition every field must be either match "*" or not set). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
adaptiveProtectionConfig

object (AdaptiveProtectionConfig)
ddosProtectionConfig

object (DdosProtectionConfig)
advancedOptionsConfig

object (AdvancedOptionsConfig)
recaptchaOptionsConfig

object (RecaptchaOptionsConfig)
fingerprint

string (bytes format)

Specifies a fingerprint for this resource, which is essentially a hash of the metadata's contents and used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update metadata. You must always provide an up-to-date fingerprint hash in order to update or change metadata, otherwise the request will fail with error

412 conditionNotMet

.

To see the latest fingerprint, make

get()

request to the security policy.

A base64-encoded string.
type

enum (SecurityPolicyType)

The type indicates the intended use of the security policy.

  • CLOUD_ARMOR

    : Cloud Armor backend security policies can be configured to filter incoming HTTP requests targeting backend services. They filter requests before they hit the origin servers.

  • CLOUD_ARMOR_EDGE

    : Cloud Armor edge security policies can be configured to filter incoming HTTP requests targeting backend services (including Cloud CDN-enabled) as well as backend buckets (Cloud Storage). They filter requests before the request is served from Trusted Cloud cache.

  • CLOUD_ARMOR_INTERNAL_SERVICE

    : Cloud Armor internal service policies can be configured to filter HTTP requests targeting services managed by Traffic Director in a service mesh. They filter requests before the request is served from the application.

  • CLOUD_ARMOR_NETWORK

    : Cloud Armor network policies can be configured to filter packets targeting network load balancing resources such as backend services, target pools, target instances, and instances with external IPs. They filter requests before the request is served from the application.

    • This field can be set only at resource creation time.
    labels

    map (key: string, value: string)

    Labels for this resource. These can only be added or modified by the

    setLabels

    method. Each label key/value pair must comply with RFC1035. Label values may be empty.
    labelFingerprint

    string (bytes format)

    A fingerprint for the labels being applied to this security policy, which is essentially a hash of the labels set used for optimistic locking. The fingerprint is initially generated by Compute Engine and changes after every request to modify or update labels. You must always provide an up-to-date fingerprint hash in order to update or change labels.

    To see the latest fingerprint, make

    get()

    request to the security policy.

    A base64-encoded string.
    region

    string

    [Output Only] URL of the region where the regional security policy resides. This field is not applicable to global security policies.

    UserDefinedField

    JSON representation 
    {
  "name": string,
  "base": enum (Base),
  "offset": integer,
  "size": integer,
  "mask": string
}
    Fields
    name

    string

    The name of this field. Must be unique within the policy.
    base

    enum (Base)

    The base relative to which 'offset' is measured. Possible values are:

    • IPV4

      : Points to the beginning of the IPv4 header.

    • IPV6

      : Points to the beginning of the IPv6 header.

    • TCP

      : Points to the beginning of the TCP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.

    • UDP

      : Points to the beginning of the UDP header, skipping over any IPv4 options or IPv6 extension headers. Not present for non-first fragments.

    required
    offset

    integer

    Offset of the first byte of the field (in network byte order) relative to 'base'.
    size

    integer

    Size of the field in bytes. Valid values: 1-4.
    mask

    string

    If specified, apply this mask (bitwise AND) to the field to ignore bits before matching. Encoded as a hexadecimal number (starting with "0x"). The last byte of the field (in network byte order) corresponds to the least significant byte of the mask.

    Base

    Enums
    IPV4
    IPV6
    TCP
    UDP

    AdaptiveProtectionConfig

    Configuration options for Cloud Armor Adaptive Protection (CAAP).

    JSON representation 
    {
  "layer7DdosDefenseConfig": {
    object (Layer7DdosDefenseConfig)
  }
}
    Fields
    layer7DdosDefenseConfig

    object (Layer7DdosDefenseConfig)

    If set to true, enables Cloud Armor Machine Learning.

    Layer7DdosDefenseConfig

    Configuration options for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

    JSON representation 
    {
  "enable": boolean,
  "ruleVisibility": enum (RuleVisibility),
  "thresholdConfigs": [
    {
      object (ThresholdConfig)
    }
  ]
}
    Fields
    enable

    boolean

    If set to true, enables CAAP for L7 DDoS detection. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
    ruleVisibility

    enum (RuleVisibility)

    Rule visibility can be one of the following: STANDARD - opaque rules. (default) PREMIUM - transparent rules. This field is only supported in Global Security Policies of type CLOUD_ARMOR.
    thresholdConfigs[]

    object (ThresholdConfig)

    Configuration options for layer7 adaptive protection for various customizable thresholds.

    RuleVisibility

    Enums
    STANDARD
    PREMIUM

    ThresholdConfig

    JSON representation 
    {
  "name": string,
  "autoDeployLoadThreshold": number,
  "autoDeployConfidenceThreshold": number,
  "autoDeployImpactedBaselineThreshold": number,
  "autoDeployExpirationSec": integer,
  "detectionLoadThreshold": number,
  "detectionAbsoluteQps": number,
  "detectionRelativeToBaselineQps": number,
  "trafficGranularityConfigs": [
    {
      object (TrafficGranularityConfig)
    }
  ]
}
    Fields
    name

    string

    The name must be 1-63 characters long, and comply with RFC1035. The name must be unique within the security policy.
    autoDeployLoadThreshold

    number
    autoDeployConfidenceThreshold

    number
    autoDeployImpactedBaselineThreshold

    number
    autoDeployExpirationSec

    integer
    detectionLoadThreshold

    number
    detectionAbsoluteQps

    number
    detectionRelativeToBaselineQps

    number
    trafficGranularityConfigs[]

    object (TrafficGranularityConfig)

    Configuration options for enabling Adaptive Protection to operate on specified granular traffic units.

    TrafficGranularityConfig

    Configurations to specifc granular traffic units processed by Adaptive Protection.

    JSON representation 
    {
  "type": enum (Type),
  "value": string,
  "enableEachUniqueValue": boolean
}
    Fields
    type

    enum (Type)

    Type of this configuration.
    value

    string

    Requests that match this value constitute a granular traffic unit.
    enableEachUniqueValue

    boolean

    If enabled, traffic matching each unique value for the specified type constitutes a separate traffic unit. It can only be set to true if value is empty.

    Type

    Types on which a granular unit can be configured.

    Enums
    UNSPECIFIED_TYPE
    HTTP_HEADER_HOST
    HTTP_PATH

    DdosProtectionConfig

    JSON representation 
    {
  "ddosProtection": enum (DdosProtection)
}
    Fields
    ddosProtection

    enum (DdosProtection)

    DdosProtection

    Advanced DDoS protection configuration options. Can only be set if the security policy type is CLOUD_ARMOR_NETWORK. The following are the valid options: * STANDARD: Standard protection is enabled for this project. * ADVANCED: Advanced DDoS protection is enabled for this project in the region. * ADVANCED_PREVIEW: Advanced DDoS protection is enabled for this project in preview mode.

    Enums
    STANDARD
    ADVANCED
    ADVANCED_PREVIEW

    AdvancedOptionsConfig

    JSON representation 
    {
  "jsonParsing": enum (JsonParsing),
  "jsonCustomConfig": {
    object (JsonCustomConfig)
  },
  "logLevel": enum (LogLevel),
  "userIpRequestHeaders": [
    string
  ]
}
    Fields
    jsonParsing

    enum (JsonParsing)
    jsonCustomConfig

    object (JsonCustomConfig)

    Custom configuration to apply the JSON parsing. Only applicable when jsonParsing is set to STANDARD.
    logLevel

    enum (LogLevel)
    userIpRequestHeaders[]

    string

    An optional list of case-insensitive request header names to use for resolving the callers client IP address.

    JsonParsing

    Enums
    DISABLED
    STANDARD
    STANDARD_WITH_GRAPHQL

    JsonCustomConfig

    JSON representation 
    {
  "contentTypes": [
    string
  ]
}
    Fields
    contentTypes[]

    string

    A list of custom Content-Type header values to apply the JSON parsing.

    As per RFC 1341, a Content-Type header value has the following format:

    Content-Type := type "/" subtype *[";" parameter]

    When configuring a custom Content-Type header value, only the type/subtype needs to be specified, and the parameters should be excluded.

    LogLevel

    Enums
    NORMAL
    VERBOSE

    RecaptchaOptionsConfig

    JSON representation 
    {
  "redirectSiteKey": string
}
    Fields
    redirectSiteKey

    string

    An optional field to supply a reCAPTCHA site key to be used for all the rules using the redirect action with the type of GOOGLE_RECAPTCHA under the security policy. The specified site key needs to be created from the reCAPTCHA API. The user is responsible for the validity of the specified site key. If not specified, a Google Cloud-powered site key is used. This field is only supported in Global Security Policies of type CLOUD_ARMOR.

    SecurityPolicyType

    Enums
    CLOUD_ARMOR
    CLOUD_ARMOR_EDGE
    CLOUD_ARMOR_NETWORK