Reputation: 3083
GCP Create Firewall Rule to Deny All Outside the U.S.?
We see a lot of scans and attempts to hack our various external ingresses in GCP and the majority of these come from outside the U.S. The neat thing is that we don't service anyone outside maybe 5 U.S. states and I'd like to know how to only allow ingress from IPs located inside the U.S. How can I create a firewall rule that does this in GCP is that even possible? Google searches asking this question yield nothing, not even anyone asking this question. Netflix and Hulu seem to have no problems doing this, can we do it too?
Upvotes: 0
Views: 1440
Answers (2)
Reputation: 353
I’m not sure if this is will answer you question or not, but there is a way to combine multiple GCP services like Cloud Armor, Memorystore and Cloud Run you can dynamically configure a security policy that can serve your purpose, to add a functionality similar to fail2ban to a cloud environment.
I setup a tutorial for this and you can find it here hodo.dev/posts/post-39-gcp-fail2ban-cloud-armor
Upvotes: 0
Reputation: 377
The closest thing GCP has to prevent attacks like DDoS or from hacking is Cloud Armor. Google Cloud Armor delivers defense at scale against infrastructure and application Distributed Denial of Service (DDoS) attacks, using Google’s global infrastructure and security systems. Cloud Armor works in conjunction with Global HTTP(S) LB and provides a layer of protection for your applications running on the backend servers. You cannot use it without a Global HTTP LB.
To limit traffic and protect HTTPS LB, you can configure Cloud Armor security policies that are made up of rules that allow or prohibit traffic from IP addresses or ranges defined in the rule. You can create Google Cloud Armor security policies with IP deny lists and allow lists that restrict unauthorized access to HTTP(S) Load Balancer from the internet. It’s worth mentioning that in GCP, firewall rules are specified in VPC level not coupled with HTTPS Load balancer. Additionally, you could get a little more information about GCP Best Practices for DDoS Protection and Mitigation on Google Cloud Platform.
Upvotes: 2
Related Questions
- Terraform/GCP, how to create a firewall rule to deny all traffic without specify IP ranges?
- How to block egress trafic to China and APAC on GCP?
- Google Cloud Platform Creating Firewall Rule What Allows Request Coming From One And Only Specific Country
- Only Allow specific country to connect server (Google cloud platform)
- GCP: firewall rules limits
- Google GCP Filtering on the source IP ports?
- google cloud - block incoming connections
- Is there some workaround to create “deny” rules for Google Cloud Firewall
- Google App Engine Firewall - block all access except from GCP (including cloud functions)?
- Google Compute Engine Firewall Rule To Restrict Traffic O Certain Ports To Specific IP Addresses