Reputation: 47
Cloud Armor rule for allowing traffic between API and Application on same load balancer
I have an Angular application hosted on App Engine and a FastAPI server hosted on Compute Engine both served via a single loadbalancer (separate host URLs, say demo-app.com and demo-api.com respectively). The loadbalancer has a static IP.
Is there a cloud armor rule that will ALLOW traffic only between the application (demo-app.com) and the server(demo-api.com) and DENY all other traffic? Two separate rules for either direction is also fine.
Tried using the loadbalancer IP but I guess that's pointless as the remoteIP in the HTTP request is of the device using the application. Can't use header values (like 'Host' and 'Referer') as they are not trustworthy. Is there any way I can use cookies to make this work?
Can't find any detailed documentation on the same, would appreciate if anyone could even just point me at the right reading material.
Upvotes: 0
Views: 487
Answers (1)
Reputation: 3201
you can make it IP or network based like in the example below
request.headers.host.matches('demo-app.com') && inIpRange(origin.ip, '127.0.0.0/24')
where 127.0.0.0/24 - is the Public IP address network where your demo-api.com is hosted
OR
request.headers.host.matches('demo-app.com') && '127.0.0.1,127.0.0.2'.contains(origin.ip)
where 127.0.0.1,127.0.0.2 - are the exact Public IP addresses where your demo-api.com is hosted
- when creating rule, go to Advanced mode
- past one of the above scripts
- by action policy set Allow
Upvotes: 0
Related Questions
- Does GCP Cloud Armor support TCP load balancer? I am unable to add TCP load balancer as a Target in Cloud Armor
- Google Cloud Armor options with Network load balancer
- Load Balancer: Inspecting traffic a specific cloud armor WAF rule is denying
- Setting up Cloud Armor for load balancer/static website in Storage Bucket
- Google Cloud Armor rule partial URL encoded
- Google Cloud Armor - missing default rule