# Configuring Traffic Blocklisting with Google Cloud Armor

## **Overview**

HTTP(S) Load balancing is implemented at the edge of Google's network in Google's points of presence (POP) around the world. User traffic directed to an HTTP(S) load balancer enters the POP closest to the user and is then load balanced over Google's global network to the closest backend that has sufficient capacity available.

[Google Cloud Armor](https://cloud.google.com/armor) IP blocklists/allowlists enable you to restrict or allow access to your HTTP(S) load balancer at the edge of the Google Cloud, as close as possible to the user and to malicious traffic. This prevents malicious users or traffic from consuming resources or entering your virtual private cloud (VPC) networks.

In this lab, you will verify that the HTTP load balancer with global backends is deployed. This load balancer is automatically provisioned for you during startup. You will then create a VM to test access to the load balancer. Finally, you will stress test the load balancer and blocklist the stress test IP with Google Cloud Armor.

### Objectives

In this lab, you will learn how to perform the following tasks:

* Verify that the HTTP load balancer is deployed.
    
* Create a VM to test access to the HTTP load balancer.
    
* Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP load balancer.
    

## **Setup and requirements**

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an **incognito window**.
    
2. Note the lab's access time (for example, `1:15:00`), and make sure you can finish within that time.  
    There is no pause feature. You can restart if needed, but you have to start at the beginning.
    
3. When ready, click **Start lab**.
    
4. Note your lab credentials (**Username** and **Password**). You will use them to sign in to the Google Cloud Console.
    
5. Click **Open Google Console**.
    
6. Click **Use another account** and copy/paste credentials for **this** lab into the prompts.  
    If you use other credentials, you'll receive errors or **incur charges**.
    
7. Accept the terms and skip the recovery resource page.
    

<aside><p><strong>Note:</strong><span> </span>Do not click<span> </span><strong>End Lab</strong><span> </span>unless you have finished the lab or want to restart it. This clears your work and removes the project.</p></aside>

## **Task 1. Verify the HTTP load balancer is deployed**

In this task, you verify that the global HTTP load balancer is deployed. The HTTP load balancer is automatically created when you start the lab. This will be used for a simple web application. This application is deployed to demonstrate the capabilities of Google Cloud Armor.

1. On the Google Cloud Console title bar, click **Activate Cloud Shell** (). If prompted, click **Continue**.
    
2. Verify that the load balancer is deployed and registered by executing the following command:
    

```apache
gcloud compute backend-services get-health web-backend --global
```

**Note:** Rerun this command and wait until this command returns that three instances are HEALTHY. You can also monitor it in the console (**Navigation menu &gt; View All Products &gt; Network services &gt; Load balancing**).

3. Retrieve the load balancer IP address by executing the following command:
    

```apache
gcloud compute forwarding-rules describe web-rule --global
```

4. Copy the value for the **IPAddress** property.
    

Keep track of this IP address. It will also be used in a later section.

5. Open a new browser tab and try to visit that IP address `http://{IP_ADDRESS}`.
    

Replace `{IP_ADDRESS}` with the IP address of the load balancer. Do not include the curly braces when you are asked to provide the IP address.

If you get a message that the IP address doesn't support a secure connection, click **Continue to site**.

Keep refreshing the page until you see a page with a message similar to this:

![Web server notification; the server is in zone X](https://cdn.qwiklabs.com/TejCgv4DW0Lq%2FQg5JjVV6H4dNY%2FEeZPTWo03qa3reCk%3D align="left")

**Note:** It might take a couple of minutes to access the HTTP load balancer. In the meantime, you might get 404 or 502 errors. Keep trying until you see the page of one of the backends.

6. In Cloud shell, use the following `curl` command to access the IP address:
    

```apache
while true; do curl -m1 {IP_ADDRESS}; done
```

The responses will be from backends that have been created in different zones.

7. Press **CTRL+C** to stop the previous command.
    

## **Task 2. Create a VM to test access to the load balancer**

1. Go to **Navigation menu &gt; Compute Engine**.
    
2. Click **Create Instance**.
    
3. On the **Machine configuration** page, enter the following values:
    
    | **Field** | **Value** (type or select) |
    | --- | --- |
    | Name | access-test |
    | Region | `us-central1` |
    | Zone | `us-central1-a` |
    
4. Leave everything else at the default and click **Create**.
    
5. Once launched, click the **SSH** button to connect to the instance.
    
6. Run the following command on the instance to access the load balancer:
    

```apache
curl -m1 {IP_ADDRESS}
```

The output should look similar to:

```html
<!doctype html><html><body><h1>Web server</h1><h2>This server is in zone: projects/104716457480/zones/us-central1-a</h2> </body></html>
```

Click *Check my progress* to verify the objective.

Create a VM to test access to the load balancer.

Check my progress

## **Task 3. Create a security policy with Google Cloud Armor**

### Blocklist the access-test VM

**Note:** You will now create a security policy to blocklist access to the load balancer from the access-test VM. This policy can be used to block access from a malicious client. There are ways to identify the external IP address of a client trying to access your HTTP load balancer. For example, you could examine traffic captured by VPC Flow Logs in BigQuery to determine a high volume of incoming requests.

1. Go to **Navigation menu &gt; Compute engine**, click **access-test** VM and scroll down to **Network interface** and then copy the **External IP address**.
    
2. From the **Navigation menu** &gt; **View All Products**. Go to **Networking** section, click **Network Security** &gt; **Cloud Armor policies**.
    
3. Click **Create policy**.
    
4. Provide a name as **blocklist-access-test** and set the **Default rule action** to **Allow**.
    
5. Click **Next step**.
    
6. Click **Add rule**.
    
7. Set the following values, leave all other values at their defaults:
    

| **Property** | **Value** |
| --- | --- |
| Mode | Basic mode (IP addresses/ranges only) |
| Match | Enter the External IP of the **access-test** VM |
| Action | Deny |
| Response code | 404 (Not Found) |
| Priority | 1000 |

**Note:** Notice that you are setting the Deny status to 404.

8. Click **SAVE CHANGE TO RULE**.
    
9. Click **Next step**.
    
10. Click **\+ Add Target**.
    
11. For **Type 1**, select **Backend service (external application load balancer)**.
    
12. For **Backend Service target 1**, select **web-backend**.
    
13. Click **Next step**.
    
14. Click **Done**.
    
15. Click **Create policy**.
    

**Note:** Alternatively, you could set the default rule to Deny and only allow list traffic from authorized users/IP addresses.

Wait for the policy to be created before moving to the next step.

### Verify the security policy

1. Return to the SSH session of the access-test VM.
    
2. Run the `curl` command again on the instance to access the load balancer:
    

```apache
curl -m1 {IP_ADDRESS}
```

The output should look as follows.

**Output:**

```html
<!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>404</title>404 Not Found
```

**Note:** It might take a couple of minutes for the security policy to take affect. If you are able to access the backends, keep trying until you get the **404** Not Found error.

3. Try accessing the load balancer IP from your local browser. You should still be able to access it as we have only blocklisted the access-test VM.
    

Click *Check my progress* to verify the objective.

Create a security policy with Google Cloud Armor.

Check my progress

## **Task 4. View Google Cloud Armor logs**

1. In the Console, from the **Navigation menu** &gt; **View All Products**. Go to **Networking** section, click **Network Security** &gt; **Cloud Armor policies**.
    
2. Click **blocklist-access-test**.
    
3. Click **Logs**.
    
4. Click **View policy logs** and go to the latest logs. If prompted, close the notification.
    
5. Locate a log with a **404** and expand the log entry.
    
6. Expand **httpRequest**.
    
7. The request should be from the **access-test** VM IP address.
    
8. Explore some of the other log entries.
    

## **Congratulations!**

In this lab, you have done the following:

* Verified that the HTTP load balancer was deployed.
    
* Created a VM to test access to the HTTP load balancer.
    
* Used Google Cloud Armor to blocklist an IP address and restrict access to an HTTP load balancer.
    

### Take your next lab

If you are interested in progressing your knowledge on Cloud Armor, take the following course:

* [Securing your Network with Cloud Armor](https://www.cloudskillsboost.google/course_templates/785)
    

## **End your lab**

When you have completed your lab, click **End Lab**. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click **Submit**.

The number of stars indicates the following:

* 1 star = Very dissatisfied
    
* 2 stars = Dissatisfied
    
* 3 stars = Neutral
    
* 4 stars = Satisfied
    
* 5 stars = Very satisfied
    

You can close the dialog box if you don't want to provide feedback.

---

## Solution of Lab

%[https://www.youtube.com/watch?v=oiZo5pCaA_8&ab_channel=QUICKGCPLAB] 

```apache
curl -LO raw.githubusercontent.com/QUICK-GCP-LAB/2-Minutes-Labs-Solutions/refs/heads/main/Configuring%20Traffic%20Blocklisting%20with%20Google%20Cloud%20Armor/shell.sh
sudo chmod +x shell.sh
./shell.sh
```