David Nguyen

Configuring Traffic Blocklisting with Google Cloud Armor

Configuring Traffic Blocklisting with Google Cloud Armor

David Nguyen's photo
David Nguyen
Dec 23, 2024·

7 min read

Table of Contents

Overview

HTTP(S) Load balancing is implemented at the edge of Google's network in Google's points of presence (POP) around the world. User traffic directed to an HTTP(S) load balancer enters the POP closest to the user and is then load balanced over Google's global network to the closest backend that has sufficient capacity available.

Google Cloud Armor IP blocklists/allowlists enable you to restrict or allow access to your HTTP(S) load balancer at the edge of the Google Cloud, as close as possible to the user and to malicious traffic. This prevents malicious users or traffic from consuming resources or entering your virtual private cloud (VPC) networks.

In this lab, you will verify that the HTTP load balancer with global backends is deployed. This load balancer is automatically provisioned for you during startup. You will then create a VM to test access to the load balancer. Finally, you will stress test the load balancer and blocklist the stress test IP with Google Cloud Armor.

Objectives

In this lab, you will learn how to perform the following tasks:

  • Verify that the HTTP load balancer is deployed.

  • Create a VM to test access to the HTTP load balancer.

  • Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP load balancer.

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Sign in to Qwiklabs using an incognito window.

  2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
    There is no pause feature. You can restart if needed, but you have to start at the beginning.

  3. When ready, click Start lab.

  4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

  5. Click Open Google Console.

  6. Click Use another account and copy/paste credentials for this lab into the prompts.
    If you use other credentials, you'll receive errors or incur charges.

  7. Accept the terms and skip the recovery resource page.

Task 1. Verify the HTTP load balancer is deployed

In this task, you verify that the global HTTP load balancer is deployed. The HTTP load balancer is automatically created when you start the lab. This will be used for a simple web application. This application is deployed to demonstrate the capabilities of Google Cloud Armor.

  1. On the Google Cloud Console title bar, click Activate Cloud Shell (). If prompted, click Continue.

  2. Verify that the load balancer is deployed and registered by executing the following command:

gcloud compute backend-services get-health web-backend --global

Note: Rerun this command and wait until this command returns that three instances are HEALTHY. You can also monitor it in the console (Navigation menu > View All Products > Network services > Load balancing).

  1. Retrieve the load balancer IP address by executing the following command:
gcloud compute forwarding-rules describe web-rule --global
  1. Copy the value for the IPAddress property.

Keep track of this IP address. It will also be used in a later section.

  1. Open a new browser tab and try to visit that IP address http://{IP_ADDRESS}.

Replace {IP_ADDRESS} with the IP address of the load balancer. Do not include the curly braces when you are asked to provide the IP address.

If you get a message that the IP address doesn't support a secure connection, click Continue to site.

Keep refreshing the page until you see a page with a message similar to this:

Web server notification; the server is in zone X

Note: It might take a couple of minutes to access the HTTP load balancer. In the meantime, you might get 404 or 502 errors. Keep trying until you see the page of one of the backends.

  1. In Cloud shell, use the following curl command to access the IP address:
while true; do curl -m1 {IP_ADDRESS}; done

The responses will be from backends that have been created in different zones.

  1. Press CTRL+C to stop the previous command.

Task 2. Create a VM to test access to the load balancer

  1. Go to Navigation menu > Compute Engine.

  2. Click Create Instance.

  3. On the Machine configuration page, enter the following values:

    | Field | Value (type or select) | | --- | --- | | Name | access-test | | Region | us-central1 | | Zone | us-central1-a |

  4. Leave everything else at the default and click Create.

  5. Once launched, click the SSH button to connect to the instance.

  6. Run the following command on the instance to access the load balancer:

curl -m1 {IP_ADDRESS}

The output should look similar to:

<!doctype html><html><body><h1>Web server</h1><h2>This server is in zone: projects/104716457480/zones/us-central1-a</h2> </body></html>

Click Check my progress to verify the objective.

Create a VM to test access to the load balancer.

Check my progress

Task 3. Create a security policy with Google Cloud Armor

Blocklist the access-test VM

Note: You will now create a security policy to blocklist access to the load balancer from the access-test VM. This policy can be used to block access from a malicious client. There are ways to identify the external IP address of a client trying to access your HTTP load balancer. For example, you could examine traffic captured by VPC Flow Logs in BigQuery to determine a high volume of incoming requests.

  1. Go to Navigation menu > Compute engine, click access-test VM and scroll down to Network interface and then copy the External IP address.

  2. From the Navigation menu > View All Products. Go to Networking section, click Network Security > Cloud Armor policies.

  3. Click Create policy.

  4. Provide a name as blocklist-access-test and set the Default rule action to Allow.

  5. Click Next step.

  6. Click Add rule.

  7. Set the following values, leave all other values at their defaults:

PropertyValue
ModeBasic mode (IP addresses/ranges only)
MatchEnter the External IP of the access-test VM
ActionDeny
Response code404 (Not Found)
Priority1000

Note: Notice that you are setting the Deny status to 404.

  1. Click SAVE CHANGE TO RULE.

  2. Click Next step.

  3. Click + Add Target.

  4. For Type 1, select Backend service (external application load balancer).

  5. For Backend Service target 1, select web-backend.

  6. Click Next step.

  7. Click Done.

  8. Click Create policy.

Note: Alternatively, you could set the default rule to Deny and only allow list traffic from authorized users/IP addresses.

Wait for the policy to be created before moving to the next step.

Verify the security policy

  1. Return to the SSH session of the access-test VM.

  2. Run the curl command again on the instance to access the load balancer:

curl -m1 {IP_ADDRESS}

The output should look as follows.

Output:

<!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>404</title>404 Not Found

Note: It might take a couple of minutes for the security policy to take affect. If you are able to access the backends, keep trying until you get the 404 Not Found error.

  1. Try accessing the load balancer IP from your local browser. You should still be able to access it as we have only blocklisted the access-test VM.

Click Check my progress to verify the objective.

Create a security policy with Google Cloud Armor.

Check my progress

Task 4. View Google Cloud Armor logs

  1. In the Console, from the Navigation menu > View All Products. Go to Networking section, click Network Security > Cloud Armor policies.

  2. Click blocklist-access-test.

  3. Click Logs.

  4. Click View policy logs and go to the latest logs. If prompted, close the notification.

  5. Locate a log with a 404 and expand the log entry.

  6. Expand httpRequest.

  7. The request should be from the access-test VM IP address.

  8. Explore some of the other log entries.

Congratulations!

In this lab, you have done the following:

  • Verified that the HTTP load balancer was deployed.

  • Created a VM to test access to the HTTP load balancer.

  • Used Google Cloud Armor to blocklist an IP address and restrict access to an HTTP load balancer.

Take your next lab

If you are interested in progressing your knowledge on Cloud Armor, take the following course:

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied

  • 2 stars = Dissatisfied

  • 3 stars = Neutral

  • 4 stars = Satisfied

  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

Solution of Lab

https://www.youtube.com/watch?v=oiZo5pCaA_8&ab_channel=QUICKGCPLAB

curl -LO raw.githubusercontent.com/QUICK-GCP-LAB/2-Minutes-Labs-Solutions/refs/heads/main/Configuring%20Traffic%20Blocklisting%20with%20Google%20Cloud%20Armor/shell.sh
sudo chmod +x shell.sh
./shell.sh
Configuring Traffic Blocklisting with Google Cloud Armor