1

I want to apply rate-based throttling using Google Cloud Armor. In the configuration for rules, there is a match parameter but that is for matching the IP ranges. I could not find a way to filter and then apply rate-based throttling for specific URL endpoints.

Via Pulumi documentation, I was able to find that we can leverage enforceOnKey for the HTTP_PATH but it takes only the first 128 bytes of the request.

I wonder if there are some examples I can use to apply rate-based throttling for specific URLs. Such as 1k QPS for /login, 10k QPS for /insert.

From the logs, I think the httpRequest.requestUrl parameter, can be used to enforce this rule.

Aviral Srivastava
  • 4,058
  • 8
  • 29
  • 81

1 Answers1

1

I am not sure I completely understand the workflow you want to setup.

You could draft a compound CEL rule like this:

request.path.lower().matches('/login') && inIpRange(origin.ip, '9.9.9.0/24')

Where you check for the path and the IP range and then set the action to rate limit.

gcloud compute security-policies rules create 299 --project=[projectName] --action=throttle --security-policy=test --expression=request.path.lower\(\).matches\(\'/login\'\)\ \&\&\ inIpRange\(origin.ip,\ \'9.9.9.0/24\'\) --preview

You can't use a rule like inIpRange(origin.ip, '*') && request.path.lower().matches('/login|/insert') as the value needs to equate to TRUE in both halves of the CEL statement and there is no string match in the wildcard statement to tell if it is true.

I may be overthinking what you want to do- perhaps you can do an exact match of the path as a CEL rule and then set the rate limit (without the IP range). You would set up 2 different rules, one for each path + rate limit. The counts are maintained separately if you have 2 separate rules.

Dave
  • 434
  • 5