How to reject requests to Google External HTTPS Load Balancer that do not have a host header?

Question

I have a cloud run service behind an HTTPS external load balancer. I'm seeing a number of path scanning style requests (e.g. "/owa", "/admin") that are trying to find vulnerabilities. None of these are supplying a host header.

To reduce unnecessary startups of my cloud run container, and to minimise exposing information to random IP address scanners, I'm trying to find a way to reject requests to my load balancer that are missing a host header.

What I had hoped to do was to respond with a static 403 forbidden style response. However, from the documentation this isn't possible. The best I have come up with is specifying a "Default URL Redirect" in my url map to send all traffic to google.com that doesn't match any host rule in my url map. This works, but seems clunky and perhaps not appropriate.

Is it possible to send a static response - or is it only possible to redirect? Is there a better way to solve this?

Answer 1

The correct answer from a GCP product perspective:

• Use a Cloud Armor rule to effect the desired behaviour

This allows you to control a range of aspects of the response.

Alternate options you could consider:

• Create an empty bucket and have that as the default backend.
• A barebones nginx service on cloud run as the default backend that returns your desired status code.