Reputation: 9
Cloud Armour policy
Team,
Looking to lock down external load balancer from CDN CIDR EdgeLocation IPs. I was able to create the policy in Cloud Armour to allow only the CIDR ranges from CDN and was able to see the the rules starting with rule number 1000 created under the policy.
Need to know is there a way in cloud armor policy that will continue to allow all the traffic, but alert when access from non CDN ip address is seen, so I can then investigate the source of access and determine if the access should be blocked or allowed.
Trying to see in cloud armour is there any option when in I can allow all traffic, but it should alert me fron NON CDN IP CIDR range (note: I already have an edge location IP ranges) so I can then investigate the source of access and determine if the access should be blocked or allowed.(e.g. access from monitoring systems))
Upvotes: -1
Views: 154
Answers (2)
Reputation: 539
Have you considered a preview rule? Make sure that the rule is ahead of your allow rule so that you are sure that it will fire. In the Load Balancer logs, it will generate a previewSecurityPolicy stanza in the jsonPayload section of the log line.
Something sort of like this:
gcloud compute security-policies rules create 500 --project=[projectName] --action=deny --security-policy=[policyName] --expression=\!inIpRange\(origin.ip,\ \'2.2.2.0/24\'\) --description=Alert\ when\ access\ to\ IPs\ is\
not\ specific\ CIDR --preview
The CEL rule !inIpRange(origin.ip, '2.2.2.0/24') will check if the user IP address is NOT from the CIDR block range...that is what the ! value is doing at the front of the CEL rule. Then enable the preview rule.
Then, you can create an alert based on when this rule is tripped in preview mode. Since it is only in preview mode, Cloud Armor will just log it but not take any specific action on it. You can then go into Log Explorer and look at the httpRequest.remoteIp value that was logged against the request. Using my priority number value, you might run a query like this:
resource.type="http_load_balancer"
jsonPayload.previewSecurityPolicy.priority="500"
This will pull the log lines for the preview policy you generated where you can see the IP addresses. If you want to get really fancy, you can filter the logs by IP address using the log field pane. If you open up the httpRequest stanza in the log > LEFT mouse click over the remoteIP address value (which is the connecting IP address to the Application Load Balancer) - a menu will appear with options > click on the Add field to Log fields pane . The Log field pane to the left will redraw and will list all the remoteIP addresses that match the query along with a count as to how many times that IP appeared in the logs for the time period.
Upvotes: 0
Reputation: 9
Was able to achieve solution by setting up the Alerting https://cloud.google.com/armor/docs/request-logging After enabling request-logging you can use log-based-alerts to achieve your use-case.
Upvotes: 0
Related Questions
- Google Cloud Armor for Firebase Hosting
- How to allow/block multiple ip in GCP cloud armor?
- How do I disable HTTP OPTIONS method for a static website hosted in a GCP bucket?
- Cloud Armor with GKE to restrict access to Ingress
- gcp external load balancer port blocking
- Can I use Google Cloud Armor to programmatically whitelist many IPs?
- How to filter inbound traffic for GCP CDN?
- How to use Google Cloud Armor with to whitelist only a few IPs on GKE?