Google Cloud Armor security policies protect your application by providing Layer 7filtering and by scrubbing incoming requests for common web attacks or other Layer 7attributes to potentially block traffic before it reaches your load balancedbackend services or backend buckets. Each security policy is made up of a set ofrules that filter traffic based on conditions such as an incoming request's IPaddress, IP range, region code, or request headers.
Google Cloud Armor security policies are available only for backend servicesof global external HTTP(S) load balancers, global external HTTP(S) load balancer (classic)s, external TCP proxy load balancers, orexternal SSL proxy load balancers. The load balancer can be inPremium Tier or Standard Tier.
The backends to the backend service can be any of the following:
- Instance groups
- Zonal network endpoint groups(NEGs)
- Serverless NEGs: One ormore App Engine, Cloud Run,or Cloud Functions services
- Internet NEGs forexternal backends
- Buckets in Cloud Storage
When you use Google Cloud Armor to protect a hybrid deployment or a multi-cloudarchitecture, the backends must be internet NEGs. Google Cloud Armor alsoprotects serverless NEGs when traffic is routed through a load balancer. Toensure that only traffic that has been routed through your load balancer reachesyour serverless NEG, seeIngress controls.
Google Cloud Armor also provides advanced network DDoS protection forExternal TCP/UDP network load balancer,protocol forwarding, and VMs withpublic IP addresses. For more information about advanced DDoS protection, seeConfigure advanced network DDoS protection.
Protect your Google Cloud deployments with Google Cloud Armor security policies
External load balancing is implemented at the edge of Google's network inGoogle's points of presence (PoPs) around theworld. In Premium Tier, user traffic directed to anexternal load balancerenters the PoP closest to the user. It is then load balanced over Google'sglobal network to the closest backend that has sufficient capacity available. InStandard Tier, user traffic enters Google's network through peering, ISP, ortransit networks in the region where you have deployed your Google Cloudresources.
Google Cloud Armor security policies enable you to allow, deny, rate-limit,or redirect requests to your global external HTTP(S) load balancer, global external HTTP(S) load balancer (classic)s,external TCP proxy load balancers, or external SSL proxy load balancers at the Google Cloud edge,as close as possible to the source of incoming traffic. This prevents unwelcometraffic from consuming resources or entering your Virtual Private Cloud (VPC)networks.
The following diagram illustrates the location of global external HTTP(S) load balancers,global external HTTP(S) load balancer (classic)s, the Google network, and Google data centers.
Requirements
These are the requirements for using Google Cloud Armor security policies:
- The load balancer must be an global external HTTP(S) load balancer, global external HTTP(S) load balancer (classic),external TCP proxy load balancer, or external SSL proxy load balancer.
- The backend service's load balancing scheme must be
EXTERNAL, orEXTERNAL_MANAGEDif you are using global external HTTP(S) load balancer. - The backend service's protocol must be one of
HTTP,HTTPS,HTTP/2,TCP, orSSL.
About Google Cloud Armor security policies
Google Cloud Armor security policies are sets of rules that match onattributes from Layer 3 to Layer 7 to protect externally facing applications orservices. Each rule is evaluated with respect to incoming traffic.
A Google Cloud Armor security policy rule consists of a match condition andan action to take when that condition is met. Conditions can be as simple aswhether the incoming traffic's source IP address matches a specific IP addressor CIDR range (also known as IP address allowlist and denylist rules).Alternatively, by using theGoogle Cloud Armor custom rules language reference,you can create custom conditions that match on various attributes of theincoming traffic, such as the URL path, request method, or request header values.
When an incoming request matches a condition in a security policy rule,Google Cloud Armor allows, denies, or redirects the request, based on whetherthe rule is an allow rule, a deny rule, or a redirect rule. There can beadditional action parameters to apply, like inserting request headers; thisfeature is part of Google Cloud Armor bot management. For more informationabout bot management, see thebot management overview.
You can associate a Google Cloud Armor security policy with one or morebackend services. A backend service can have only one security policy associatedwith it, but your backend services do not all need to be associated with thesame security policy.
If a Google Cloud Armor security policy is associated with any backendservice, it can't be deleted. A backend service can be deleted regardless ofwhether it has an associated security policy.
If multiple forwarding rules point to a backend service that has an associatedsecurity policy, the policy rules are enforced for all traffic coming in to eachof the forwarding rule IP addresses.
In the following illustration, the Google Cloud Armor security policyinternal-users-policy is associated with the backend service test-network.
Google Cloud Armor security policies have the following core features:
You can optionally use the
QUICprotocol with load balancers that useGoogle Cloud Armor.You can use Google Cloud Armor with load balancers that are ineither of the following Network Service Tiers:
- Premium Tier
- Standard Tier
You can use security policies with GKE and the default Ingresscontroller.
Types of security policies
The following table shows the types of security policies and what you can dowith them. A check mark (✔) indicates that the type of security policy supportsthe feature.
| Frontend Type | Global external HTTP(S) load balancer/Global external HTTP(S) load balancer (classic) | external TCP proxy load balancer/external SSL proxy load balancer | global external HTTP(S) load balancer/global external HTTP(S) load balancer (classic) |
| Attachment point (protected resource) | Backend service | Backend service |
|
| Rule actions |
|
|
|
| Source IP address | ✔ | ✔ | ✔ |
| Source geography | ✔ | ✔ | ✔ |
| Source ASN | ✔ | ✔ | |
| Rate limiting | ✔ | ✔ | |
| Bot management | ✔ | ||
| Layer 7 filtering | ✔ | ||
| WAF | ✔ | ||
| Adaptive protection | ✔ | ||
| Named IP address lists | ✔ | ||
| Threat Intelligence (preview) | ✔ | ||
Backend security policies
Backend security policies are used with backend services exposed by anglobal external HTTP(S) load balancer, global external HTTP(S) load balancer (classic), External TCP Proxy Load Balancing, orExternal SSL Proxy Load Balancing. They can be used to filter requests and protect backendservices that reference instance groups or network endpoint groups (NEGs)including internet, zonal, and serverless NEGs.
When using an external TCP proxy load balancer, Google Cloud Armor enforces the security policyrule action deny only on new connection requests. The deny actionterminates the TCP connection. In addition, if you provide a status code withyour deny action, the status code is ignored.
Edge security policies
Edge security policies enable users to configure filtering and access controlpolicies for content that is stored in cache; this includes endpoints likeCloud CDN-enabled backend services and Cloud Storage buckets. Edgesecurity policies support filtering based on a subset of parameters compared tobackend security policies. You cannot set an edge security policy as a backendpolicy. Edge security policies are not supported for external TCP proxy load balancers orexternal SSL proxy load balancers.
Edge security policies can be configured to filter requests before the requestis served from Google's cache. Edge security policies are deployed and enforcedat the outermost perimeter of Google's network, upstream of where theCloud CDN cache resides. Edge security policies can coexist with backendsecurity policies to provide two layers of protection. They can besimultaneously applied to a backend service regardless of the resources that thebackend service points to (for example, instance groups or network endpointgroups). Only edge security policies can be applied to backend buckets.
When edge security policies and backend security policies are attached tothe same backend service, backend security policies are enforced only forcache miss requests that have passed edge security policies.
Rule evaluation order
Rule evaluation order is determined by rule priority, from the lowest numberto the highest number. The rule with the lowest numeric value assigned has thehighest logical priority and is evaluated prior to rules with lower logicalpriorities. The minimum numeric priority is 0. The priority of a rule decreasesas its number increases (1, 2, 3, N+1). You cannot configure two or more ruleswith the same priority. The priority for each rule must be set to a number from0 to 2147483646 inclusive. The priority value 2147483647, also known asINT-MAX, is reserved for the default rule.
Priority numbers can have gaps, which enable you to add or remove rules in thefuture without affecting the rest of the rules. For example, 1, 2, 3, 4, 5, 9,12, 16 is a valid series of priority numbers to which you could add rulesnumbered from 6 to 8, 10 to 11, and 13 to 15 in the future. You don't need tochange the existing rules except for the order of execution.
Typically, the highest priority rule that matches the request is applied.However, there is an exception when HTTP POST requests are evaluated againstpreconfigured rules that use evaluatePreconfiguredExpr(). The exception is asfollows.
For HTTP POST requests, Google Cloud Armor receives the request's headerbefore the body (payload). Because Google Cloud Armor receives theheader information first, it evaluates rules that match against the header, butit does not match any preconfigured rules on the body. If there are multipleheader-based rules, Google Cloud Armor evaluates them based on theirpriority as expected. Note that redirect actions and inserting custom headeractions work only during the header processing phase. The redirect action, ifmatched during the following body processing phase, is translated to a denyaction. The custom request header action, if matched during the bodyprocessing phase, will not take effect.
After Google Cloud Armor receives the HTTP POST body, it evaluates rulesthat apply to both the request headers and body. As a result, it's possible thatlower priority rules that allow a request's header are matched before higherpriority rules that block the request's body. In such cases, it is possible thatthe HTTP header portion of the request is sent to the target backendservice, but the POST body containing potentially malicious content isblocked. Google Cloud Armor inspects the first 8KB of the POST body.For more information about this limitation, seePOST body inspection limitation.
The evaluatePreconfiguredExpr() expression for preconfigured rules isthe only expression that is evaluated against the request body. All otherexpressions are evaluated against the request header only. Among the HTTPrequest types with a request body, Google Cloud Armor processes only POSTrequests. The inspection is limited to the first 8 KB of the POST body andgets decoded like URL query parameters. Google Cloud Armor can parse and applypreconfigured WAF rules for JSON-formatted POST bodies (Content-Type='application/json'). However, Google Cloud Armor does not support otherHTTP Content-Type/Content-Encoding-based decoders such as XML, Gzip, or UTF-16.
Examples
In the following example, rules 1, 2, and 3 are evaluated in that order for theIP and HTTP header fields. However, if an IP 9.9.9.1 launches an XSSattack in the HTTP POST body, only the body is blocked (by rule 2); the HTTPheader passes through to the backend (by rule 3).
Rule1expr: inIPRange(origin.ip, '10.10.10.0/24')action: deny(403)priority: 1Rule2expr: evaluatePreconfiguredExpr('xss-stable')action: deny(403)priority: 2Rule3expr: inIPRange(origin.ip, '9.9.9.0/24')action: allowpriority: 3Rule-defaultaction: deny(403)priority: INT-MAXIn the following example, the policy allows IP 9.9.9.1 without scanning againstXSS attacks:
Rule1expr: inIPRange(origin.ip, '10.10.10.0/24')action: deny(403)priority: 1Rule2expr: inIPRange(origin.ip, '9.9.9.0/24')action: allowpriority: 2Rule3expr: evaluatePreconfiguredExpr('xss-stable')action: deny(403)priority: 3Rule-defaultaction: allowpriority: INT-MAXDefault rule
Each Google Cloud Armor security policy contains a default rule that ismatched if none of the higher priority rules are matched or if there are noother rules in the policy. The default rule is automatically assigned a priorityof 2147483647 (INT-MAX), and it is always present in the security policy.
You cannot delete the default rule, but you can modify it. The default actionfor the default rule is deny, but you can change the action to allow.
Fingerprint
Each Google Cloud Armor security policy has a field fingerprint. Thefingerprint is a hash of the contents stored in the policy. When you create anew policy, do not provide the value of this field. If you provide a value, itis ignored. However, when you update a security policy, you must specify thecurrent fingerprint, which you get when you export or describe the policy (usingEXPORT or DESCRIBE, respectively).
The fingerprint protects you from overriding another user's update. If thefingerprint that you provide is out of date, it means that the security policywas updated since you last retrieved the fingerprint. To check for anydifferences and to retrieve the latest fingerprint, run the DESCRIBEcommand.
Rules language and enforcement engine
The rules language and enforcement engine provide the following:
The ability to write custom rule expressions that can match on various Layer 3through Layer 7 attributes of incoming requests. Google Cloud Armor provides aflexible language for writing custommatch conditions.
The ability to combine multiple subexpressions in a single rule.
The ability to deny or allow requests based on the incoming request's regioncode. The region codes are based on theISO 3166-1 alpha 2 codes. The region codes sometimes correspond to specific countries, but someencompass a country plus its associated areas. For example, the
UScodeincludes all states of the United States, one district, and six outlying areas.
Types of rules
Google Cloud Armor has the following types of rules.
IP address allowlist and denylist rules
You can create IP address allowlist and denylist rules within a securitypolicy. Some examples include the following:
Denylisting for IP address/CIDR enables you to block a source IP address or CIDR range fromaccessing supported load balancers.
Allowlisting for IP address/CIDR enables you to allow a sourceIP address or CIDR range to access supported load balancers.
IPv4 and IPv6 addresses are supported in allowlist and denylist rules.
IP address rules can block or allow individual source IPaddresses or CIDRs. Both IPv4 and IPv6 source addresses are supported.
Deny rules can return an HTTP
403(Unauthorized),404(Access Denied),or502(Bad Gateway) response.Exceed action rules can return an HTTP
429(Too Many Requests).
Preconfigured rules for XSS, SQLi, LFI, RFI, and RCE
You can use preconfigured rules to mitigate the following attacks:
- Cross-site scripting (XSS)
- SQL injection (SQLi) attacks
- Local file inclusion (LFI) attacks
- Remote file inclusion (RFI) attacks
- Remote code execution (RCE) attacks
These rules are based on theOWASP Modsecurity core rule set version 3.0.2.
Bot management rules
You can use bot management rules to do the following:
- Redirect requests for reCAPTCHA Enterprise assessment with optionalmanual challenges.
- Evaluate reCAPTCHA Enterprise tokens attached with a request and applythe configured action based on token attributes.
- Redirect requests to your configured alternative URL with a 302 response.
- Insert custom headers to requests before proxying them to your backends.
For more information about bot management, see thebot management overview.
Preconfigured rules for named IP address lists
Preconfigured rules for named IP address lists provide the following:
Integrate third-party providers' named IP address lists withGoogle Cloud Armor.
Simplify maintenance of allowed or denied IP address ranges.
Synchronize third-party providers' lists daily.
Increase your capacity for configuring IP addresses and ranges in securitypolicies because named IP address lists are not subject to limits on the numberof IP addresses per rule.
Rate limiting rules
You can use rate limiting rules to do the following:
- Throttle requests per client based on a threshold you configure.
- Temporarily ban clients that exceed a request threshold that you set for aconfigured duration.
When you use rate limiting with external TCP proxy load balancers or external SSL proxy load balancers, thefollowing restrictions apply:
- Google Cloud Armor only enforces rate limiting actions like throttling orbanning on new connection requests from clients.
- Only the key types
ALLandIPare supported for External TCP Proxy Load Balancing andExternal SSL Proxy Load Balancing. - If you attempt to use the key type
HTTP-HEADERorHTTP-COOKIEwith TCP/SSLload balancers, the key type is interpreted asALL, and likewiseXFF-IPis interpreted asIP.
For more information about rate limiting and how it works, see theRate limiting overview.
Preview mode
You can preview the effects of a rule without enforcing it. In preview mode,actions are noted in Cloud Monitoring. You can choose topreview individual rules in a security policy, or you can preview every rule inthe policy.
You can enable preview mode for a rule by using the Google Cloud CLI and the--preview flag ofgcloud compute security-policies rules update.
To disable preview mode, use the --no-preview flag, which is not currentlydocumented. You can also use the Google Cloud console.
If a request triggers a preview, Google Cloud Armor will continue to evaluateother rules until finding a match. Both the matched and preview rule will beavailable in the logs.
Logging
Google Cloud Armor has extensive logging and lets you define how verboseyour logging is. For complete information about logging, seeUsing request logging.
JSON parsing and verbose logging
By default, Google Cloud Armor does not parse the JSON content of POST bodieswhen preconfigured WAF (web application firewall) rules are evaluated. This cancause the WAF rules to be noisy and potentially generate false positive matcheson incoming requests if the protected workloads serve REST APIs or otherwisereceive requests with JSON in the POST Body(Content-Type = "application/json").
A noisy rule is triggered by requests that you would most likely consider to befalse positives. For example, a JSON request body such as '{"test": "123"}'triggers the SQL injection rule owasp-crs-v030001-id942431-sqli if JSONparsing is not enabled.
We recommend that you enable JSON parsing if you expect your workload to receiverequests with Content-Type = "application/json"—for example, if you areserving REST APIs. By default, this option is disabled. The syntax for the flagis as follows:
--json-parsing=[STANDARD | DISABLED]
The flag is available only with gcloud compute security-policies update. Youcannot create a new security policy with this option unless you create asecurity policy in a file and then import that file.
To reduce the noise and false positives, you can configure Google Cloud Armorto parse the JSON content of POST bodies. This means that Google Cloud Armorignores structural characters of the JSON message in the POST body and looksonly at the end-user-provided values in the JSON message. For more informationabout preconfigured WAF rules, seeTuning Google Cloud Armor WAF rules.
Additionally, you might not be able to tell why a preconfigured WAF rule wastriggered by a particular request. Google Cloud Armor's default event logscontain the rule that was triggered, as well as the subsignature. However, you mightneed to identify the details from the incoming request that triggered the rulefor troubleshooting, rule validation, or rule tuning purposes.
You can adjust the level of detail recorded in your logs. We recommend that youenable verbose logging only when you first create a policy, makechanges to a policy, or troubleshoot a policy. If you enable verboselogging, it is in effect for rules in preview mode as well as active(non-previewed) rules during standard operations.
For more information about verbose logging, see Using requestlogging.
HTTP(S) Load Balancing request logging
Each HTTP(S) request that is evaluated against a Google Cloud Armor securitypolicy is logged through Cloud Logging. The logs provide details such as thename of the applied security policy, the matching rule, and whether the rule wasenforced. Request logging for new backend service resources is disabled bydefault. To ensure that Google Cloud Armor requests are logged, you mustenable HTTP(S) logging for each backend service protected by a security policy.
For more information, seeHTTP(S) Load Balancing logging and monitoringand Using request logging.
To view Google Cloud Armor logs, see Viewing logs.
External TCP Proxy Load Balancing and External SSL Proxy Load Balancing request logging
You can configure External TCP Proxy Load Balancing and External SSL Proxy Load Balancinglogging using the Google Cloud CLI commands as listed inHTTP(S) Load Balancing logging and monitoring.You cannot enable logging for External TCP Proxy Load Balancing and External SSL Proxy Load Balancingusing the Google Cloud console.
Limitations
The following sections detail limitations for security policies.
POST body inspection limitation
The evaluatePreconfiguredExpr() expression for preconfigured rules is the onlyexpression that Google Cloud Armor evaluates against the request body. Amongthe HTTP request types with a request body, Google Cloud Armor processes onlyPOST requests.
The inspection is limited to the first 8 KB of the POST body, which gets decodedlike URL query parameters. The remainder of the POST body might containmalicious code, which your application might accept. To mitigate the risk ofPOST bodies whose size exceeds 8 KB, see thetroubleshooting guide.
Google Cloud Armor can parse and apply preconfigured WAF rules for defaultURL-encoded and JSON-formatted POST bodies (Content-Type='application/json'),in which case rules are independently applied on the decoded names and values inthe data. For other content types and encoding types, Google Cloud Armor doesnot decode the data, but applies the preconfigured rules on raw data.
How WebSocket connections are handled
global external HTTP(S) load balancer has built-in support for the WebSocket protocol.WebSocket channels are initiated from HTTP(S) requests. Google Cloud Armorcan block a WebSocket channel from being established, for example, if an IPaddress denylist blocks the originating IP address. However, subsequenttransactions in the channel do not conform to the HTTP protocol, andGoogle Cloud Armor does not evaluate any messages after the first request.
What's next
- Configure security policies, rules, and expressions
- Learn about the features in Managed Protection tiers
- Learn about named IP address lists
- Troubleshoot issues
FAQs
Security policy overview | Google Cloud Armor? ›
Google Cloud Armor security policies enable you to allow or deny access to your deployment at the Google Cloud edge, as close as possible to the source of incoming traffic. This prevents unwelcome traffic from consuming resources or entering your Virtual Private Cloud (VPC) networks.
Is cloud armor a WAF? ›Tuning Google Cloud Armor WAF rules
Preconfigured web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards.
Create a Google Cloud Armor security policy. Add rules to the security policy based on IP address lists, custom expressions, or preconfigured expression sets. Attach the security policy to a backend service of the external HTTP(S) load balancer for which you want to control access. Update the security policy as needed.
How do I check my cloud armor log? ›Viewing logs
You can view the logs for a Google Cloud Armor security policy only in the Google Cloud console. In the Google Cloud console, go to the Network Security page. On the Security policies page, in the row for a security policy, click more_vertMenu for the policy whose logs you want to view. Select View logs.
Google Cloud Armor security policies are available only for backend services of global external HTTP(S) load balancers, global external HTTP(S) load balancer (classic)s, external TCP proxy load balancers, or external SSL proxy load balancers. The load balancer can be in Premium Tier or Standard Tier.
Does Google Cloud has DDoS protection? ›Distributed Denial of Service (DDoS) attacks don't need to be big to wreak havoc on a target, but it doesn't hurt. In the latest biggest of all times attacks, Google fended off an HTTPS DDoS attack, which peaked at 46 million requests per second (RPS).
Does Google have a WAF? ›Google Cloud Armor is the web-application firewall (WAF) and DDoS mitigation service that helps users defend their web apps and services at Google scale at the edge of Google's network.
What are WAF rules? ›An AWS WAF rule defines how to inspect HTTP(S) web requests and the action to take on a request when it matches the inspection criteria. You define rules only in the context of a rule group or web ACL. You can define rules that inspect for criteria like the following: Scripts that are likely to be malicious.
What is WAF service? ›A WAF protects your web apps by filtering, monitoring, and blocking any malicious HTTP/S traffic traveling to the web application, and prevents any unauthorized data from leaving the app. It does this by adhering to a set of policies that help determine what traffic is malicious and what traffic is safe.
What is a cloud CDN? ›
Cloud CDN is a content delivery network that accelerates your web and video content delivery by using Google's global edge network to bring content as close to your users as possible. As a result latency, cost, and load on your backend servers is reduced, making it easier to scale to millions of users.
What is VPC service controls? ›VPC Service Controls allow customers to address threats such as data theft, accidental data loss, and excessive access to data stored in Google Cloud multi-tenant services. It enables clients to tightly control what entities can access what services in order to reduce both intentional and unintentional losses.
Which two of the following vulnerabilities are scanned for when you use cloud security scanner? ›If you're using App Engine, you can easily scan your application for two very common vulnerabilities: cross-site scripting (XSS) and mixed content.
How security is provided in cloud computing? ›Security in cloud computing is a major concern. Data in cloud should be stored in encrypted form. To restrict client from accessing the shared data directly, proxy and brokerage services should be employed.
Which of the following security measures is of extra importance when using cloud services? ›One of the most important cloud computing security measures you can take is backing up your data. It's crucial to have a contingency plan in place should anything happen to your information, such as loss or corruption. You may opt to have a local back-up or even utilise another cloud service – or do both.
Which of the following security options could be provided by a cloud computing solution? ›Cloud providers take steps to protect data that's in transit. Data Security methods include virtual private networks, encryption, or masking. Virtual private networks (VPNs) allow remote employees to connect to corporate networks. VPNs accommodate tablets and smartphones for remote access.
What are cloud security requirements? ›The steps required to secure data in the cloud vary. Factors, including the type and sensitivity of the data to be protected, cloud architecture, accessibility of built-in and third-party tools, and number and types of users authorized to access the data must be considered.