1. Introduction
Google Cloud Armor named IP address lists let you reference lists of IP addresses and IP ranges that are maintained by third-party providers. You can configure named IP address lists within a security policy. You do not have to manually specify each IP address or IP range individually.
What you'll learn
- Benefits of Cloud Armor named IP address list
- Create Cloud Armor security policy
- Deploy Cloud Armor named IP address list
- Create Global Load balancer
- Create Managed Instance group with sample test application
What you'll need
- Experience with Security Policies and Load Balancers
2. Allowing traffic only from permitted third-party providers
A typical use case is to create an allowlist containing the IP addresses of a permitted third-party partner to ensure that only traffic coming from this partner can access the load balancer and the backends.
For example, CDN providers need to pull content from origin servers at regular intervals to distribute them to their own caches. A partnership with Google provides a direct connection between CDN providers and the Google network edge. CDN users on Google Cloud can use this direct connection during origin pulls. In this case, the CDN user might want to build a security policy that only allows traffic coming from that particular CDN provider.
In this example, a CDN provider publishes its IP address list 23.235.32.0/20, 43.249.72.0/22, ⋯,. A CDN user configures a security rule that only allows traffic coming from these IP addresses. As a result, two CDN provider access points are allowed (23.235.32.10 and 43.249.72.10) and their traffic is therefore permitted. Traffic from the unauthorized access point 198.51.100.1 is blocked.
Google Cloud Armor named IP address
3. Simplifying configuration and management by using pre configured rules
CDN providers often use IP addresses that are well-known and that many CDN users need to use. These lists change over time, as providers add, remove, and update the IP addresses.
Using a named IP address list in a security policy rule simplifies the process of configuring and managing IP addresses because Google Cloud Armor automatically synchronizes information from CDN providers on a daily basis. This eliminates the time-consuming and error-prone process of maintaining a large IP address list manually.
IP address list providers
The IP address list providers in the following table are supported for Google Cloud Armor. These are CDN providers that have partnered with Google. Their IP address lists are published through individual public URLs.
These partners provide separate lists of IPv4 addresses and IPv6 addresses. Google Cloud Armor uses the provided URLs to fetch lists, and then converts the lists into named IP address lists. You refer to the lists by the names in the table.
Alternatively, use cloud shell to obtain a list of preconfigured named IP address lists
Log into cloudshell and set your projectid
gcloud config list project gcloud config set project [YOUR-PROJECT-ID] Perform setting your projectID: projectid=YOUR-PROJECT-ID echo $projectid
From cloud shell
gcloud compute security-policies list-preconfigured-expression-sets \ --filter="id:sourceiplist"
This returns:
EXPRESSION_SET sourceiplist-fastly sourceiplist-cloudflare sourceiplist-imperva
4. Codelab topology
5. Setup and Requirements
Self-paced environment setup
- Sign in to Cloud Console and create a new project or reuse an existing one. (If you don't already have a Gmail or Google Workspace account, you must create one.)
Remember the project ID, a unique name across all Google Cloud projects (the name above has already been taken and will not work for you, sorry!). It will be referred to later in this codelab as PROJECT_ID
.
- Next, you'll need to enable billing in Cloud Console in order to use Google Cloud resources.
Running through this codelab shouldn't cost much, if anything at all. Be sure to to follow any instructions in the "Cleaning up" section which advises you how to shut down resources so you don't incur billing beyond this tutorial. New users of Google Cloud are eligible for the $300 USD Free Trial program.
Start Cloud Shell
While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.
From the GCP Console click the Cloud Shell icon on the top right toolbar:
It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:
This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this lab can be done with simply a browser.
6. Create VPC network
VPC Network
From Cloud Shell
gcloud compute networks create
named-list-vpc
--subnet-mode custom
Create Subnet
From Cloud Shell
gcloud compute networks subnets create named-ip-subnet \ --network
named-list-vpc
--range 10.0.0.0/24 --region us-east1
Create Firewall Rules
From Cloud Shell
gcloud compute --project=$projectid firewall-rules create default-allow-http --direction=INGRESS --priority=1000 --network=named-list-vpc --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0
gcloud compute --project=$projectid firewall-rules create default-allow-health-check --direction=INGRESS --priority=1000 --network=named-list-vpc --action=ALLOW --rules=tcp --source-ranges=130.211.0.0/22,35.191.0.0/16
Create the load balancer
Create the instance template
From Cloud Shell
gcloud beta compute --project=$projectid instance-templates create us-east1-template --machine-type=e2-medium --subnet=projects/$projectid/regions/us-east1/subnetworks/named-ip-subnet --network-tier=PREMIUM --metadata=startup-script-url=gs://cloud-training/gcpnet/httplb/startup.sh --maintenance-policy=MIGRATE --image=debian-10-buster-v20210217 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-balanced --boot-disk-device-name=us-east1-template --no-shielded-secure-boot --no-shielded-vtpm --no-shielded-integrity-monitoring --reservation-affinity=any
Create the Managed Instance Group
From Cloud Shell
gcloud compute --project=$projectid instance-groups managed create us-east1-mig --base-instance-name=us-east1-mig --template=us-east1-template --size=1 --zone=us-east1-b
7. Verify the backends
Verify that VM instances are being created in both regions and access their HTTP sites.
- Still in Compute Engine, click VM instances in the left menu
- Notice the instances that start with us-east1-mig These instances are part of the managed instance groups.
- Click on the External IP of an instance of us-east1-mig. You should see the Client IP (your IP address), the Hostname (starts with us-east1-mig)
Configure the HTTP Load Balancer
- In the Cloud Console, click Navigation menu ( ) > click Network Services > Load balancing, and then click Create load balancer.
- Under HTTP(S) Load Balancing, click on Start configuration.
- Select From Internet to my VMs, and click Continue.
- Set the Name to http-lb.
Configure the backend
Backend services direct incoming traffic to one or more attached backends. Each backend is composed of an instance group and additional serving capacity metadata.
- Click on Backend configuration.
- For Backend services & backend buckets, click Create or select backend services & backend buckets, then click Backend services, and then click Create a backend service.
- Backend type is Instance Group
- Set the following values, leave all other values at their defaults:
- Click Done.
- For Health Check, select Create a health check.
- Set the following values, leave all other values at their defaults:
- Click Save and Continue.
- Click Create to create the backend service.
Configure the frontend
The host and path rules determine how your traffic will be directed. For example, you could direct video traffic to one backend and static traffic do another backend. However, you are not configuring the Host and path rules in this lab.
- Click on Frontend configuration.
- http-front-end
- Specify the following, leaving all other values at their default
- Click Done.
8. Review and create the HTTP Load Balancer
- Click on Review and finalize.
- Review the Backend services and Frontend.
- Click on Create.
- Wait several minutes for the load balancer to be created
- Click on the name of the load balancer (http-lb).
- Note the IPv4 address of the load balancer for the next task, referred to as http-lb.
9. Validate successful unauthorized access
Before implementing Named IP Address policy, validate successful unauthorized access to the lab balancer and subsequent web application. Note, once named IP address policy is implemented, access to the web application is limited to the provisioned expression set.
- Identify your load balancer IP address created in the previous step (http-lb) and paste into your web browser. Output will be similar per the screenshot below.
NOTE: This step will take several minutes, once the webpage is generated, client IP is from Google Front End, not your workstation IP.
From your workstation perform similar validation as indicated below
bash-3.2$ curl <load-balancer-IP>
10. Example output
bash-3.2$ curl <load-balancer-ip> <h1>HTTP Load Balancing Lab</h1><h2>Client IP</h2>Your IP address : 35.191.0.151<h2>Hostname</h2>Server Hostname: us-east1-mig-8nqq<h2>Server Location</h2>Region and Zone: us-east1-b
11. Configure Named IP List
Create a new Cloud Amour Policy for Named IP List
From Cloud Shell
gcloud compute --project=$projectid security-policies create ca-policy
From Cloud Shell
gcloud compute --project=$projectid security-policies rules update 2147483647 --action=deny-403 --security-policy=ca-policy --description="Default rule, higher priority overrides it" --src-ip-ranges=\*
Identify available CDN Named IP Lists addresses.
From Cloud Shell
gcloud compute security-policies list-preconfigured-expression-sets \ --filter="id:sourceiplist"
This returns:
EXPRESSION_SET sourceiplist-fastly sourceiplist-cloudflare sourceiplist-imperva
From Cloud Shell configure named IP address list based on your CDN available expression set
gcloud beta compute security-policies rules create 600 \ --security-policy ca-policy \ --expression "evaluatePreconfiguredExpr('expression_set')" \ --action "allow"
Example using cloudflare
gcloud beta compute security-policies rules create 600 \ --security-policy ca-policy \ --expression "evaluatePreconfiguredExpr('sourceiplist-cloudflare')" \ --action "allow"
12. Apply CA security policy
Apply CA security policy and wait several minutes for global policy propagation
gcloud compute backend-services update http-backend --security-policy ca-policy --global
13. Named IP Address validation
- Since the security policy is implemented, access to the load balancer from your workstation is unauthorized.
- To validate, open a terminal window, from your workstation and perform a curl to the load balancer IP address. Output from the curl will yield a ‘403' Forbidden error since your workstation is now unauthorized.
From your workstation
bash-3.2$ curl <load-balancer-IP> <!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</title>403 Forbidden
Clean Up Steps
gcloud -q compute backend-services update http-backend --security-policy "" --global gcloud -q compute --project=$projectid security-policies delete ca-policy gcloud -q compute forwarding-rules delete http-front-end --global gcloud -q compute target-http-proxies delete http-lb-target-proxy gcloud -q compute url-maps delete http-lb gcloud -q compute backend-services delete http-backend --global gcloud -q compute health-checks delete http-health-check gcloud -q compute --project=$projectid instance-groups managed delete us-east1-mig --zone=us-east1-b gcloud -q beta compute --project=$projectid instance-templates delete us-east1-template gcloud -q compute --project=$projectid firewall-rules delete default-allow-http gcloud -q compute --project=$projectid firewall-rules delete default-allow-health-check gcloud -q compute networks subnets delete named-ip-subnet --region us-east1 gcloud -q compute networks delete named-list-vpc
14. Congratulations!
Congratulations for completing the codelab.
What we've covered
- Benefits of Cloud Armor named IP address list
- Create Global Load balancer
- Create Managed Instance group with sample test application
- Create Cloud Armor security policy
- Deploy Cloud Armor named IP address list
- Validate Named IP Cloud Armor Policy