Cloud Armor NamedIP List

1. Introduction

Google Cloud Armor named IP address lists let you reference lists of IP addresses and IP ranges that are maintained by third-party providers. You can configure named IP address lists within a security policy. You do not have to manually specify each IP address or IP range individually.

What you'll learn

  • Benefits of Cloud Armor named IP address list
  • Create Cloud Armor security policy
  • Deploy Cloud Armor named IP address list
  • Create Global Load balancer
  • Create Managed Instance group with sample test application

What you'll need

  • Experience with Security Policies and Load Balancers

2. Allowing traffic only from permitted third-party providers

A typical use case is to create an allowlist containing the IP addresses of a permitted third-party partner to ensure that only traffic coming from this partner can access the load balancer and the backends.

For example, CDN providers need to pull content from origin servers at regular intervals to distribute them to their own caches. A partnership with Google provides a direct connection between CDN providers and the Google network edge. CDN users on Google Cloud can use this direct connection during origin pulls. In this case, the CDN user might want to build a security policy that only allows traffic coming from that particular CDN provider.

In this example, a CDN provider publishes its IP address list 23.235.32.0/20, 43.249.72.0/22, ⋯,. A CDN user configures a security rule that only allows traffic coming from these IP addresses. As a result, two CDN provider access points are allowed (23.235.32.10 and 43.249.72.10) and their traffic is therefore permitted. Traffic from the unauthorized access point 198.51.100.1 is blocked.

27243e72ee25ee16.png

Google Cloud Armor named IP address

3. Simplifying configuration and management by using pre configured rules

CDN providers often use IP addresses that are well-known and that many CDN users need to use. These lists change over time, as providers add, remove, and update the IP addresses.

Using a named IP address list in a security policy rule simplifies the process of configuring and managing IP addresses because Google Cloud Armor automatically synchronizes information from CDN providers on a daily basis. This eliminates the time-consuming and error-prone process of maintaining a large IP address list manually.

IP address list providers

The IP address list providers in the following table are supported for Google Cloud Armor. These are CDN providers that have partnered with Google. Their IP address lists are published through individual public URLs.

These partners provide separate lists of IPv4 addresses and IPv6 addresses. Google Cloud Armor uses the provided URLs to fetch lists, and then converts the lists into named IP address lists. You refer to the lists by the names in the table.

7e9c09a008e04656.png

Alternatively, use cloud shell to obtain a list of preconfigured named IP address lists

Log into cloudshell and set your projectid

gcloud config list project
gcloud config set project [YOUR-PROJECT-ID]

Perform setting your projectID:
projectid=YOUR-PROJECT-ID

echo $projectid

From cloud shell

gcloud compute security-policies list-preconfigured-expression-sets \
    --filter="id:sourceiplist"

This returns:

EXPRESSION_SET
sourceiplist-fastly
sourceiplist-cloudflare
sourceiplist-imperva

4. Codelab topology

68a800f9adbf4570.png

5. Setup and Requirements

Self-paced environment setup

  1. Sign in to Cloud Console and create a new project or reuse an existing one. (If you don't already have a Gmail or Google Workspace account, you must create one.)

96a9c957bc475304.png

b9a10ebdf5b5a448.png

a1e3c01a38fa61c2.png

Remember the project ID, a unique name across all Google Cloud projects (the name above has already been taken and will not work for you, sorry!). It will be referred to later in this codelab as PROJECT_ID.

  1. Next, you'll need to enable billing in Cloud Console in order to use Google Cloud resources.

Running through this codelab shouldn't cost much, if anything at all. Be sure to to follow any instructions in the "Cleaning up" section which advises you how to shut down resources so you don't incur billing beyond this tutorial. New users of Google Cloud are eligible for the $300 USD Free Trial program.

Start Cloud Shell

While Google Cloud can be operated remotely from your laptop, in this codelab you will be using Google Cloud Shell, a command line environment running in the Cloud.

From the GCP Console click the Cloud Shell icon on the top right toolbar:

bce75f34b2c53987.png

It should only take a few moments to provision and connect to the environment. When it is finished, you should see something like this:

f6ef2b5f13479f3a.png

This virtual machine is loaded with all the development tools you'll need. It offers a persistent 5GB home directory, and runs on Google Cloud, greatly enhancing network performance and authentication. All of your work in this lab can be done with simply a browser.

6. Create VPC network

VPC Network

From Cloud Shell

gcloud compute networks create

named-list-vpc

 --subnet-mode custom

Create Subnet

From Cloud Shell

gcloud compute networks subnets create named-ip-subnet \
        --network

named-list-vpc

 --range 10.0.0.0/24 --region us-east1

Create Firewall Rules

From Cloud Shell

gcloud compute --project=$projectid firewall-rules create default-allow-http --direction=INGRESS --priority=1000 --network=named-list-vpc --action=ALLOW --rules=tcp:80 --source-ranges=0.0.0.0/0 

gcloud compute --project=$projectid firewall-rules create default-allow-health-check --direction=INGRESS --priority=1000 --network=named-list-vpc --action=ALLOW --rules=tcp --source-ranges=130.211.0.0/22,35.191.0.0/16

Create the load balancer

Create the instance template

From Cloud Shell

gcloud beta compute --project=$projectid instance-templates create us-east1-template --machine-type=e2-medium --subnet=projects/$projectid/regions/us-east1/subnetworks/named-ip-subnet --network-tier=PREMIUM --metadata=startup-script-url=gs://cloud-training/gcpnet/httplb/startup.sh --maintenance-policy=MIGRATE --image=debian-10-buster-v20210217 --image-project=debian-cloud --boot-disk-size=10GB --boot-disk-type=pd-balanced --boot-disk-device-name=us-east1-template --no-shielded-secure-boot --no-shielded-vtpm --no-shielded-integrity-monitoring --reservation-affinity=any

Create the Managed Instance Group

From Cloud Shell

gcloud compute --project=$projectid  instance-groups managed create us-east1-mig --base-instance-name=us-east1-mig --template=us-east1-template --size=1 --zone=us-east1-b

7. Verify the backends

Verify that VM instances are being created in both regions and access their HTTP sites.

  1. Still in Compute Engine, click VM instances in the left menu
  2. Notice the instances that start with us-east1-mig These instances are part of the managed instance groups.
  3. Click on the External IP of an instance of us-east1-mig. You should see the Client IP (your IP address), the Hostname (starts with us-east1-mig)

Configure the HTTP Load Balancer

  1. In the Cloud Console, click Navigation menu ( mainmenu.png) > click Network Services > Load balancing, and then click Create load balancer.
  2. Under HTTP(S) Load Balancing, click on Start configuration.

start_config.png

  1. Select From Internet to my VMs, and click Continue.
  2. Set the Name to http-lb.

Configure the backend

Backend services direct incoming traffic to one or more attached backends. Each backend is composed of an instance group and additional serving capacity metadata.

  1. Click on Backend configuration.
  2. For Backend services & backend buckets, click Create or select backend services & backend buckets, then click Backend services, and then click Create a backend service.
  3. Backend type is Instance Group
  4. Set the following values, leave all other values at their defaults: 18bf7a852f0759ee.png
  5. Click Done.
  6. For Health Check, select Create a health check. health_check.png
    1. Set the following values, leave all other values at their defaults: d2f85af1e988532b.png
  7. Click Save and Continue.
  8. Click Create to create the backend service.

b00c217bf592f0.png

Configure the frontend

The host and path rules determine how your traffic will be directed. For example, you could direct video traffic to one backend and static traffic do another backend. However, you are not configuring the Host and path rules in this lab.

  1. Click on Frontend configuration.
  2. http-front-end
  3. Specify the following, leaving all other values at their default 51ae16211e72142f.png
  4. Click Done.

8. Review and create the HTTP Load Balancer

  1. Click on Review and finalize.

8efe5b462a80071d.png

  1. Review the Backend services and Frontend.

30b06910bf7fae29.png

  1. Click on Create.
  2. Wait several minutes for the load balancer to be created
  3. Click on the name of the load balancer (http-lb).
  4. Note the IPv4 address of the load balancer for the next task, referred to as http-lb.

9. Validate successful unauthorized access

Before implementing Named IP Address policy, validate successful unauthorized access to the lab balancer and subsequent web application. Note, once named IP address policy is implemented, access to the web application is limited to the provisioned expression set.

  1. Identify your load balancer IP address created in the previous step (http-lb) and paste into your web browser. Output will be similar per the screenshot below.

NOTE: This step will take several minutes, once the webpage is generated, client IP is from Google Front End, not your workstation IP.

f93410e9568f1f32.png

From your workstation perform similar validation as indicated below

bash-3.2$ curl <load-balancer-IP>

10. Example output 

bash-3.2$ curl <load-balancer-ip>
<h1>HTTP Load Balancing Lab</h1><h2>Client IP</h2>Your IP address : 35.191.0.151<h2>Hostname</h2>Server Hostname: us-east1-mig-8nqq<h2>Server Location</h2>Region and Zone: us-east1-b

11. Configure Named IP List

Create a new Cloud Amour Policy for Named IP List

From Cloud Shell

gcloud compute --project=$projectid security-policies create ca-policy

From Cloud Shell

gcloud compute --project=$projectid security-policies rules update 2147483647 --action=deny-403 --security-policy=ca-policy --description="Default rule, higher priority overrides it" --src-ip-ranges=\*

Identify available CDN Named IP Lists addresses.

From Cloud Shell

gcloud compute security-policies list-preconfigured-expression-sets \
    --filter="id:sourceiplist"

This returns:

EXPRESSION_SET
sourceiplist-fastly
sourceiplist-cloudflare
sourceiplist-imperva

From Cloud Shell configure named IP address list based on your CDN available expression set

gcloud beta compute security-policies rules create 600 \
    --security-policy ca-policy \
    --expression "evaluatePreconfiguredExpr('expression_set')" \
    --action "allow"

Example using cloudflare

gcloud beta compute security-policies rules create 600 \
    --security-policy ca-policy \
    --expression "evaluatePreconfiguredExpr('sourceiplist-cloudflare')" \
    --action "allow"

12. Apply CA security policy

Apply CA security policy and wait several minutes for global policy propagation

gcloud compute backend-services update http-backend --security-policy ca-policy --global

13. Named IP Address validation

  1. Since the security policy is implemented, access to the load balancer from your workstation is unauthorized.
  2. To validate, open a terminal window, from your workstation and perform a curl to the load balancer IP address. Output from the curl will yield a ‘403' Forbidden error since your workstation is now unauthorized.

From your workstation

bash-3.2$ curl <load-balancer-IP>
<!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</title>403 Forbidden

Clean Up Steps

gcloud -q compute backend-services update http-backend --security-policy "" --global

gcloud -q compute --project=$projectid security-policies delete ca-policy

gcloud -q compute forwarding-rules delete http-front-end --global

gcloud -q compute target-http-proxies delete http-lb-target-proxy

gcloud -q compute url-maps delete http-lb

gcloud -q compute backend-services delete http-backend --global

gcloud -q compute health-checks delete http-health-check

gcloud -q compute --project=$projectid instance-groups managed delete us-east1-mig --zone=us-east1-b

gcloud -q beta compute --project=$projectid instance-templates delete us-east1-template

gcloud -q compute --project=$projectid firewall-rules delete default-allow-http

gcloud -q compute --project=$projectid firewall-rules delete default-allow-health-check

gcloud -q compute networks subnets delete named-ip-subnet --region us-east1

gcloud -q compute networks delete named-list-vpc

14. Congratulations!

Congratulations for completing the codelab.

What we've covered

  • Benefits of Cloud Armor named IP address list
  • Create Global Load balancer
  • Create Managed Instance group with sample test application
  • Create Cloud Armor security policy
  • Deploy Cloud Armor named IP address list
  • Validate Named IP Cloud Armor Policy