Cloud Armor | multiple networks within inIpRange or origin.ip function

Question

Is there a possibility to evaluate multiple IP networks within the same condition for advanced rule like its possible for counties ? [Currently function inIpRange allows to process only 1 IP range][1]

this works 'AT,DE,NL,CZ,IT,CH,SK,HR,HU,SI,PL'.contains(origin.region_code)

this not '34.90.0.0/15,34.141.128.0/17,66.249.64.0/19'.contains(origin.ip)

Any ideas ?

EDIT: I need to use exclusion in an advanced multi logic rule (there is host and path matching also involved) not the simply deny IPranges.

[1]: https://cloud.google.com/armor/docs/rules-language-reference#:~:text=inIpRange(x,larger%20than%20/64.

Answer 1

You could write a CEL rule sort of like this:

request.headers['host'].matches('www.example.com') && request.path.lower().urlDecode().contains('/login') && inIpRange(origin.ip, '74.125.209.0/27') || inIpRange(origin.ip, '34.141.128.0/17') || inIpRange(origin.ip, '66.249.64.0/19')

Cloud Armor is limited to 5 expressions in a rule so you can't readily expand the rule, but for what you are trying to achieve, this could suffice.

Answer 2

You can always create a rule in basic mode where you can just list the CIDRs. No need to write a CEL rule.

gcloud compute security-policies rules create 1000 --project=[projectName] --action=deny-403 --security-policy=[cloudArmorPolicyName] --src-ip-ranges=34.90.0.0/15,34.141.128.0/17,66.249.64.0/19 --description=Multiple\ origin\ IPs

Note there is a limit of 10 CIDRs per rule. This is a hard cap per rule. If you have more than 10 CIDRs, you need to generate a different rule.

No need to over complicate things.