Reputation: 31
Cloud Functions - DDoS protection with max instances cap + node express rate limiter?
I've been using Cloud Functions for a while and it's been great so far - though, it seems like there's no builtin way to set limits on how often the function is invoked.
I've set the max # instances to a reasonable number, but for the # invocations, Firebase doesn't really provide a way to set this. Would using a Node package that limits or slows down requests, when combined with the limited max instances be sufficient to slow down attacks if they happen?
Also know Cloud Endpoints exist - I'm pretty new to OpenAPI and it seems like something that should just be integrated with Functions at an additional cost... but wondering if that would be a good solution too.
Pretty new to all this so appreciate any help!
Upvotes: 0
Views: 705
Answers (1)
Reputation: 75775
If you use only Google Cloud services (I don't know the other cloud provider offers to solve your issue, or even existing framework for this), you can limit the unwanted access at different layer
Firtly, Google Front End (GFE) protects all Google resources (Gmail, Maps, Cloud, Your cloud functions,...) especially against layer 3 and layer 4 common DDoS attacks. In addition, this layer is in charge of the TLS communication establishment, and will also discard the bad connexions.
- Activate the "private mode". This mode forbid the unauthenticated request. With this feature, Google Front End will check if
- A id_token is present in the request header
- If the token is valid (correct signature, not expired)
- If the identity of the token is authorized to access to the resource.
-> Only the valid request reach your service and you will pay only for that. All the bad traffic is processed by Google and "paid" by Google.
Use a Load balancer with Cloud Armor activated. You can also customize your WAF policies if you need them. Use it in front of your Cloud Functions thanks to the serverless NEG feature
If you use API Keys, you can use Cloud Endpoint (or API Gateway, a managed version of Cloud Endpoint) where you can enforce rate limit per API keys. I wrote an article on this (Cloud Endpoinr + ESPv2)
Upvotes: 1
Related Questions
- DDOS in Cloud Run
- Are Google Cloud Functions protected from DDoS attacks?
- How to rate limit a firebase function with Cloud Armor
- Setting function max instances limits in index.js
- Rate limiting for Google/Firebase cloud functions?
- Throttling requests to third-party APIs when using cloud functions
- How to rate limit per user?
- Throttling google cloud endpoints
- Reinforce a Simultanious Rate Limit for Firebase Cloud Function
- Surge handling by Cloud Functions with Firebase