Table of contents
1.
Google Cloud Armor😶‍🌫️
2.
Security policy🔐
3.
Configuring Google Cloud Armor security policies🌐
4.
Tuning Google Cloud Armor WAF rules🚧
5.
Using Google Cloud Armor Managed Protection🦾
5.1.
Required IAM permissions
6.
Google Cloud Armor Adaptive Protection overview🧑‍💻
7.
APIs and references💯
7.1.
Security policies
7.2.
Backend services
8.
Monitoring Google Cloud Armor security policies🧠
8.1.
Viewing the monitoring dashboard
9.
Google Cloud Armor audit logging information💻
10.
Frequently Asked Questions❓
10.1.
Does cloud armor protect against SQL injection?
10.2.
What is the load balancer type supported with Cloud Armor?
10.3.
What is an HTTP load balancer?
10.4.
How do you implement cloud armor?
10.5.
What additional security does Cloud Armor provide?
11.
Conclusion
Last Updated: Mar 27, 2024

  Google Cloud Armor

Author ANJU JAISWAL
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Google Cloud Armor😶‍🌫️

Hi Ninja🥷! You must be wondering how Google keeps safe your cloud data. Let's understand.

Cross-site scripting (XSS), SQL injection, and distributed denial-of-service (DDoS) attacks are just a few of the application attacks that Google Cloud Armor can help you defend against (SQLi). Some of the defenses offered by Google Cloud Armor are automatic, while others require manual configuration.

  Google Cloud Armor

Several of these features, some of which are only available for global external HTTP(S) load balancers and global external HTTP(S) load balancers (classic)s, are high-level overviews of these features provided in this article.

Security policy🔐

By offering Layer 7 filtering and checking incoming requests for common web attacks or other Layer 7 attributes, Google Cloud Armor security policies safeguard your application by potentially blocking traffic before it reaches your load-balanced backend services or backend buckets. Every security policy consists of rules that filter traffic according to criteria like the incoming request's IP address, IP range, region code, or request headers.

Only the backend services of global external HTTP(S) load balancers, global external HTTP(S) load balancers (classic), external TCP proxy load balancers, or external SSL proxy load balancers can use Google Cloud Armor security policies.

Configuring Google Cloud Armor security policies🌐

Create security policies for Google Cloud Armor using these instructions to filter incoming traffic going to external HTTP(S) load balancers.

The high-level procedures for setting up Google Cloud Armor security policies to enable rules that permit or prohibit traffic to external HTTP(S) load balancers are as follows:

  1. Create a security policy for Google Cloud Armor.
     
  2. Add security policy rules based on custom, preconfigured expression sets or IP address lists.
     
  3. Attach the security policy to the external HTTP(S) load balancer's backend service to which you want to restrict access.
     
  4. As necessary, update the security policy.
Configuring Google Cloud Armor security policies

Tuning Google Cloud Armor WAF rules🚧

The complex web application firewall (WAF) rules preconfigured with Google Cloud Armor are built using open source industry standards and feature dozens of signatures. Google provides these guidelines "as is." Instead of requiring you to define each traffic signature manually, the rules enable Google Cloud Armor to evaluate dozens of different traffic signatures by referring to conveniently named rules.

A complete list of preconfigured WAF rules used in a Google Cloud Armor security policy can be found in the table below.

Google Cloud Armor rule name ModSecurity rule name Current status
SQL injection (public preview) sqli-v33-stable In sync with sqli-v33-canary
sqli-v33-canary Latest
Cross-site scripting (public preview) xss-v33-stable In sync with xss-v33-canary
xss-v33-canary Latest
Local file inclusion (public preview) lfi-v33-stable In sync with lfi-v33-canary
lfi-v33-canary Latest
Remote file inclusion (public preview) rfi-v33-stable In sync with rfi-v33-canary
rfi-v33-canary Latest
Remote code execution (public preview) rce-v33-stable In sync with rce-v33-canary
rce-v33-canary Latest

Using Google Cloud Armor Managed Protection🦾

This section explains how to use Google Cloud Armor Managed Protection Plus.

Follow these steps to switch to Managed Protection Plus:

  1. Sign up for the Managed Protection Plus tier with your billing account.
     
  2. Participate in the Managed Protection Plus subscription as a single project.

 

Please take note that Managed Protection Plus requires a 12-month commitment. You cannot cancel your subscription for a year after you do so.

Required IAM permissions

You must have the Identity and Access Management (IAM) permission billing.accounts.update for the billing account that is being subscribed to Managed Protection Plus to subscribe a billing account to the service or change the subscription's auto-renewal setting.

You must have the following IAM permissions for the currently chosen project that you are enrolling in Managed Protection Plus to add a project to the subscription.

  • resourcemanager.projects.createBillingAssignment
     
  • resourcemanager.projects.update

Google Cloud Armor Adaptive Protection overview🧑‍💻

Google Cloud Armor Adaptive Protection helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. 

Adaptive Protection builds machine-learning models that do the following:

  1. Detect and alert on anomalous activity
     
  2. Generate a signature describing the potential attack
     
  3. Generate a custom Google Cloud Armor WAF rule to block the signature.

 

You enable or disable Adaptive Protection on a per-security-policy basis.

Alerts about anomalous traffic (potential attacks), which include the signatures of the attacks, appear in the Adaptive Protection event dashboard with event logs sent to Cloud Logging, where they can be directly analyzed or forwarded to a downstream log or security event monitoring workflow. Alerts of potential attacks are also generated as the Security Command Center findings.

APIs and references💯

On this section, specific Google Cloud Armor commands are described.

Security policies

Use to create security policies and rules.

NAME

gcloud compute security-policies - read and manipulate Cloud Armor security policies

SYNOPSIS

gcloud compute security-policies GROUP | COMMAND [GCLOUD_WIDE_FLAG …]

DESCRIPTION

Read and manipulate Cloud Armor security policies.

Security policies are used to control access to Google Cloud HTTP/HTTPS load balancers.

GCLOUD WIDE FLAGS

These flags are available to all commands: --help.

Run $ gcloud help for details.

GROUPS

GROUP is one of the following:

Rules

Read and manipulate Compute Engine security policies rules.

COMMANDS

COMMAND is one of the following:

Command                                    Description
Create Create a Compute Engine security policy.
describe Describe a Compute Engine security policy.
export Export security policy configs into yaml files.
list List Google Compute Engine security policies.
import Import security policy configs into your project.
update Update a Compute Engine security policy.
delete Delete security policies.
list-preconfigured-expression-sets List all available preconfigured expression sets.

 

Backend services

Use to attach a security policy to a backend service.

How Google Cloud load balancers distribute a backend service determines traffic. Several values are contained in the backend service configuration, including the protocol used to connect to backends, distribution and session settings, health checks, and timeouts. These options give you precise control over the behaviour of your load balancer. Most settings have default values, making configuration simple if you need to get going immediately.

Google Compute Engine offers both regional and global scoped backend services.

  • Global
     
  • Regional

Monitoring Google Cloud Armor security policies🧠

Security policy monitoring data is exported to Cloud Monitoring by Google Cloud Armor. Monitoring metrics can diagnose issues or determine whether your policies are operating as intended. For instance, you can see the traffic that was blocked or permitted for each backend service. You can keep track of the metrics for either a single backend service or a single security policy that is applied to many backend services.

Security Command Center has no monitoring logs.

Viewing the monitoring dashboard

Using the preconfigured Network Security Policies resource dashboard in Cloud Monitoring, you can keep track of the status and request traffic volumes (allowed, denied, or previewed) for each policy and each backend service.

Follow these steps to view the dashboard:

  1. In the Google Cloud console, go to Monitoring 
     
  2.  Go to Monitoring
     
  3. In the navigation pane on the left, select Dashboards.
     
  4. Under Name, select Network Security Policies.
     
  5. Click the name of your policy.
     

On the right when you access the dashboard are the overall metrics. These include metrics for the volume of requests evaluated by security policies and divided according to the results: allowed, denied, previewed allowed, and previewed denied. Different levels of granularity, such as per-project, per-policy, and per-backend-service, are available for metrics observation.

Monitoring Google Cloud Armor security policies

Google Cloud Armor audit logging information💻

To assist you in determining "Who did what, where, and when?" regarding your Google Cloud resources, Google Cloud services keep audit logs.

Only the audit logs for resources directly within your Google Cloud projects are included. The audit logs for the entity itself are contained in other Google Cloud resources like folders, organisations, and billing accounts.

Google Cloud Armor offers the following audit log categories:

  • Admin Activity audit logs
    Comprises "admin write" operations that store configuration or metadata.
    You can't disable Admin Activity audit logs.

 

  • Data Access audit logs
    Contains "admin read" operations that read configuration or metadata. includes "data write" and "data read" operations that read or write data supplied by the user.To receive Data Access audit logs, you must explicitly enable them.

Frequently Asked Questions❓

Does cloud armor protect against SQL injection?

Cloud Armor provides predefined rules to help defend against attacks such as cross-site scripting (XSS) and SQL injection (SQLi) attacks.

What is the load balancer type supported with Cloud Armor?

Google Cloud Armor only enforces rate-limiting actions like throttling or banning new connection requests from clients. Only the key types ALL and IP are supported for External TCP Proxy Load Balancing and External SSL Proxy Load Balancing.

What is an HTTP load balancer?

With the help of the proxy-based Layer 7 load balancer known as External HTTP(S) Load Balancing, you can run and scale your services behind a single external IP address.

How do you implement cloud armor?

Create a security policy for Google Cloud Armor. Add security policy rules based on custom, preconfigured expression sets or IP address lists. Attach the security policy to the external HTTP(S) load balancer's backend service to which you want to restrict access. As necessary, update the security policy.

What additional security does Cloud Armor provide?

Using Google Cloud Armor security policies, you can allow or deny access to your deployment at the Google Cloud edge, which is the closest point to the origin of incoming traffic. This stops unwanted traffic from utilizing your Virtual Private Cloud (VPC) networks' resources or getting in.

Conclusion

In this article, we discussed the  Google Cloud Armor, configuring its security policies, how we can monitor by viewing the dashboard, and a brief idea about audit logs. Hope you enjoyed the complete article now.


Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem DesignMachine learning, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must look at the problemsinterview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!!                                  

Thank You
Live masterclass