I'm planning to create a web site that runs on several different machines in Google Cloud Compute, and I'm serious thinking to use the Network Load Balancing of Google. But I have some questions regards security and usability. My machines can have a private ip address with the http port opened ?( we don't when some hacker is trying to get in ours servers) My http response will have the machine own ip address or the ip in the Network Load Balance ? Does Google protect the opened port in Google Cloud Compute machine against SYN,Pack flow attacks( like a router)?

You could use the HTTP/S load balancing to do what you want. https://cloud.google.com/compute/docs/load-balancing/http/ See https://cloud.google.com/compute/docs/load-balancing/http/cross-region-example#optional_remove_external_ips_except_for_a_bastion_host for removing external IPs. Responses will come from the load balanced IP, not your VMs' IPs. Yes for some types of malicious traffic, because the load balancing layer is doing full proxying. This means TCP and SSL termination both happen before your VMs.

google-compute-enginegoogle-cloud-platform

matheus

Reputation: 107

Google Cloud Network Load Balance Security concerns

I'm planning to create a web site that runs on several different machines in Google Cloud Compute, and I'm serious thinking to use the Network Load Balancing of Google. But I have some questions regards security and usability.

My machines can have a private ip address with the http port opened ?( we don't when some hacker is trying to get in ours servers)
My http response will have the machine own ip address or the ip in the Network Load Balance ?
Does Google protect the opened port in Google Cloud Compute machine against SYN,Pack flow attacks( like a router)?

Upvotes: 0

Answers (3)

matheus

Reputation: 107

No. Is only possible to have the port 80(http) open if and only if the instance has a public ip address; however, it is possible to limit the machine instances affected with a bastion host.
No. Using the Network Load Balance will protect the ip address of you machine, but is possible (in theory) to gather the machine external ip address with random ip address scans or some flaw in the application.
GCE machine instances have some sort of protection, but they are susceptible to TCP or UDP flood according to securityfocus.

Upvotes: 0

Matt S.

Reputation: 7911

You could use the HTTP/S load balancing to do what you want. https://cloud.google.com/compute/docs/load-balancing/http/

See https://cloud.google.com/compute/docs/load-balancing/http/cross-region-example#optional_remove_external_ips_except_for_a_bastion_host for removing external IPs.
Responses will come from the load balanced IP, not your VMs' IPs.
Yes for some types of malicious traffic, because the load balancing layer is doing full proxying. This means TCP and SSL termination both happen before your VMs.

Upvotes: 1

user3547151

Reputation: 89

if your machines have only private IP (RFC 1918 space) and no external IP, then configuring NLB doesn't make them externally accessible directly on port 80 (if thats what you configure for your service).

google does handle some level of attacks, but if you are like for a full-fledged ddos, then implementing additional layer on your end helps.

Upvotes: 0

Google Cloud Network Load Balance Security concerns

Answers (3)

Related Questions