Stack Overflow
Stack Overflow

Questions tagged [google-cloud-armor]

Google Cloud Armor is a distributed denial of service (DDoS) protection and web application firewall (WAF) service offered by Google Cloud Platform.

Google Cloud Armor is a distributed denial of service (DDoS) protection and web application firewall (WAF) service offered by Google Cloud Platform. It is designed to safeguard applications and services running on Google Cloud from malicious web traffic and cyber threats. Cloud Armor provides a comprehensive set of security features, including IP allow/deny lists, Layer 7 filtering, and customizable rules for detecting and mitigating common attack patterns, such as SQL injection and cross-site scripting (XSS). By integrating with Google's global infrastructure, Cloud Armor delivers scalable, reliable, and low-latency defense mechanisms for securing applications and services against DDoS attacks and other web-based threats.

101 questions
7
votes
2 answers

Global load balancer (HTTPS Loadbalancer) in front of GKE Nginx Ingress Controller

I have a GKE cluster which uses Nginx Ingress Controller as its ingress engine. Currently, when I setup the Nginx Ingress Controller I define a service kind: LoadBalancer and point it to an external static IP previously reserved on GCP. The problem…
Mauricio
  • 2,552
  • 2
  • 29
  • 43
7
votes
3 answers

Is it possible to use a fully managed service (Cloud Run or App Engine) with firewall in GCP?

Problem. I'm looking for an agile way to shoot a docker container (stored on GCR.IO) to a managed service on GCP: one docker container gcr.io/project/helloworld with private data (say, Cloud SQL backend) - can't face the real world. a bunch of IPs…
Riccardo
  • 1,104
  • 13
  • 22
6
votes
4 answers

How to use Cloud Armor with GAE Flex?

I wonder if it is possible to use Cloud Armor with GAE Flex? Because in Cloud Armor's documentation, it says that you have to use an HTTPS Load Balancer. Since GAE Flex doesn't have a load balancer, how can we use Cloud Armor with GAE Flex? We have…
Cihat Kisa
  • 85
  • 1
  • 7
6
votes
2 answers

How to use Google Cloud Armor with to whitelist only a few IPs on GKE?

we're trying to block all non-cluster traffic except a few external IP addresses based on this Cloud Armor walk through. The GKE cluster recognizes the rules but it's still blocking the allowed IP. Here are the steps followed: 1) Create the policy…
Mike
  • 1,180
  • 3
  • 15
  • 28
5
votes
1 answer

How can i use cloud armor on nginx ingress controller?

First of all, I am using an Nginx ingress controller with the helm for the gke and I am using ModSecurity as a waf. Nevertheless, I was researching for a new kind of waf to display the results of prevention, and cloud armor looks like what I am…
Burak Kocaoglu
  • 83
  • 6
5
votes
1 answer

Is there any way for the IP once denied by a WAF rule to be unbarred again passing through the rule?

I have set up Google Cloud Armor security policy referring to https://cloud.google.com/armor/docs/rules-language-reference. It worked fine. My simulated SQL injection attack from my office was detected and subsequent accesses were blocked.…
R.Kurishima
  • 51
  • 2
4
votes
1 answer

GCP - Regional GKE cluster with Network endpoint group NEG (with HTTP LoadBalancer and Cloud Armor)

thanks to Gabriel Hodoroaga and his tutorial we have config with this flow in GCP: Internet > HTTP Load Balancer > Network Endpoint Groups > GKE in one zone > ingress-nginx But we need to switch GKE from zonal to regional. So I rebuild this config…
rrob
  • 179
  • 1
  • 9
4
votes
1 answer

How to protect your GCP apps from bad bots using Cloud Armor and Load Balancer?

I have the Google Cloud Platform load balancer as a CDN and entry point to my running services. As far as I know GCP load balancer offers out of the box DDoS protection even without custom Cloud Armor rules setup. Is it also includes some protection…
Yurii Kuzemko
  • 671
  • 5
  • 10
4
votes
1 answer

Is there a way in google cloud to block attempt to access specific urls

I have a VM instance that receives a lot of spam/bot traffic attempting to hack the instance such as New Request to /blog/wp-includes/wlwmanifest.xml. Although none of these are successful it adds strain to the instance. Is it possible to block…
sam
  • 1,005
  • 1
  • 11
  • 24
4
votes
1 answer

Use Cloud Armor with Cloud Run and avoid bypass

Quoting https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are…
Abraham
  • 531
  • 5
  • 13
4
votes
1 answer

GKE Error: no matches for kind "BackendConfig" in version "cloud.google.com/v1"

I am trying to follow this documentation on configuring Cloud Armor and I'm getting this error when trying to apply it to create a BackendConfig. Why am I getting this error? Clearly they're saying there should be an api config type of…
Nathan McKaskle
  • 2,926
  • 12
  • 55
  • 93
4
votes
2 answers

how to use a list to define rules for google_compute_security_policy

https://www.terraform.io/docs/providers/google/r/compute_security_policy.html rules are embedded in the google_compute_security_policy resource And Cloud armor has a dumb limitation that only allows for up to 5 IPs in a rule- I have about 15 IPs i…
red888
  • 27,709
  • 55
  • 204
  • 392
4
votes
1 answer

Google Cloud Armor: Cannot add targets using cloud armor

I configured a Cloud Armor policy however when I try to apply the policy to a new target the '+Add Target' button is disabled.
gkatzioura
  • 2,655
  • 2
  • 26
  • 39
3
votes
1 answer

Cloud Armor Rate-Limiting Pricing

For Google's Cloud Armor service, does it cost to use its rate-limiting functionality, specifically on a per-request basis? https://cloud.google.com/armor/pricing I'm reasonably confident that it will, at minimum, cost $5 per month for the policy…
Marcus
  • 45
  • 5
3
votes
0 answers

Can I bypass WAF rules for a specific URL in Cloud Armor?

I would like to bypass certain WAF rules to be applied for a specific URL. For example, the following requests are creating a false positive as they have some "string" in the payload triggering the rule "owasp-crs-v030001-id933160-php". POST…
Titu
  • 176
  • 7
1
2 3 4 5 6 7