Reputation: 11
Google Cloud Armor - missing default rule
I've created a cloud armor security policy but it does not have a default rule. I am confused because the documentation contradicts with this.
https://cloud.google.com/compute/docs/reference/rest/beta/securityPolicies
A list of rules that belong to this policy. There must always be a default rule (rule with priority 2147483647 and match "*"). If no rules are provided when creating a security policy, a default rule with action "allow" will be added.
$ gcloud beta compute security-policies describe healthcheck
---
creationTimestamp: ''
description: ''
fingerprint: ...
id: '.....'
kind: compute#securityPolicy
labelFingerprint: .....
name: healthcheck
rules:
- action: deny(404)
description: Block requests to /health
kind: compute#securityPolicyRule
match:
expr:
expression: request.path.matches('/health')
preview: false
priority: 1000
selfLink: https://www.googleapis.com/compute/....
Based on my tests, the default behaviour seems to be Allow. Is this default rule hidden or am I missing something?
The rule was created with Terraform but I don't think it matters.
Upvotes: 1
Views: 1600
Answers (1)
Reputation: 316
The answer to your question lies in the fact that there are different ways to create a Cloud Armor policy. For example, if you create a policy through the Cloud Console, you are required to choose the default rule type prior to creating the policy.
In your case, the policy was created using Terraform. Terraform will create a policy in effectively the same way as if you were to use gcloud commands from the Cloud Shell. Using something like Terraform or using gcloud commands will permit a Cloud Armor policy to be created without a default rule specified.
If a Cloud Armor policy is created without a rule specified (default or otherwise), then an “Allow” rule will be automatically added. This is the behavior documented in the REST resource link you shared. One thing to take note of, it may take a few minutes before the default “Allow” rule is visible. In my testing it took at least 2 minutes minimum to be visible in the Console and through:
gcloud compute security-policies describe [POLICY_NAME]
Typically during Cloud Armor policy creation, a default rule is specified with the desired behavior (step # 2). The example you have shared appears to not have updated in the console completely, thus does not show the default “Allow” rule. However, based on the description you provided for your setup, a default “Allow” rule would have been applied during the policy creation by Terraform.
You can always choose to change the behavior of the default rule from “Allow” to “Deny-404” (or “Deny-502”), using the command:
gcloud compute security-policies rules update 2147483647 --security-policy [POLICY_NAME] --action "deny-404"
(2147483647 is the default rule priority, max int32)
Upvotes: 0
Related Questions
- Use Cloud Armor with Cloud Run and avoid bypass
- GCP Cloud armor Quota 'SECURITY_POLICY_RULES' exceeded. Limit: 0.0 globally error for Free tier account
- Why some rule actions are disabled in google cloud armor?
- Cloud Armor logs aren't very clear when rule is set as "Preview only"
- GCP How can we attach google armor with google NEG?
- The Python script for updating rules in the Cloud Armor in Google Cloud Platform by REST API
- How to fix GCP firewall rules are not working
- Remove default firewall rule from single Google Compute Engine
- Google Cloud Firewall - Unrecognized arguments
- Google Cloud Armor: Cannot add targets using cloud armor