We have a current project: pj-xyz-dev
We would also probably require a pj-abc-dev, pj-ghi-prod , pj-czi-prod.
We need to check how easy it is to attach these to the respective APIGEE environments for the Logging capabilities.
And how to transport the confirmation from one environment/project to another on GCP?
We want to check the standard out of the box capabilities between APIGEE and GCP
Related
We plan to move from Apigee Edge to Apigee X. Unfortunately I still do have a open security related question where I do not find any suitable informations.
Do I need an additional service for Intrusion Detection like Cloud IDS or is that already built in Apigee X?
For the best practices there could be no. of ways but, in general the service would be the same and Apigee x is different from Apigee in multiple ways.
You can deploy 50 proxies to an environment.
API proxies are immutable when they are deployed.
You can do your own configuration/setup in Apigee.
By using a customer encryption key all the KVM’s are encrypted.
Admin authentication and Admin API endpoints are different.
GCP IAM and RBAC govern admin identity and operators.
You can have look at this document.
I installed managed Anthos on a GKE cluster. Anthos Service Mesh is working and is displaying my API. Thanks to that Services that are in Monitoring automatically detect my API. This is great as it enables me to easily set SLOs and Error Budget for my API.
However I would like to be able to easily set SLOs for individual endpoints in my api. Services(in Monitoring) detect only my API and not the endpoints within my API(my API is one pod/container + sidecar). I tried to add endpoints to Services in Monitoring but it looks like it is only possible to add Kubernetes Objects there.
Is there a way to use Services in Monitoring with endpoints? Is the only way to do so to break endpoints to separate microservices?
You can monitor your endpoints using Cloud Endpoints with OpenAPI, which allows you to monitor the health of APIs you own by using the logs and metrics Cloud Endpoints maintains for you automatically. When users make requests to your API, Endpoints logs information about the requests and responses and also tracks three of the four golden signals of monitoring: latency, traffic, and errors. These usage and performance metrics help you monitor your API.
The following URL Configuring Cloud Endpoints has the configuration process for Cloud Endpoints. Use this URL Monitoring your API as a reference on the monitoring process for your API, and this last URL for the Cloud Endpoint’s overview.
I have the Google Cloud Platform load balancer as a CDN and entry point to my running services.
As far as I know GCP load balancer offers out of the box DDoS protection even without custom Cloud Armor rules setup.
Is it also includes some protection against the "bad bots" which are scraping the info or sending spam?
If not, is there any way we can setup some rules using Cloud Armor to protect GCP services against such bots?
Since your question is very broad and not very precise I will just point out some of the main features & benefits of Cloud Armor and point you to some usefull documentation that will help you understand how to use configure and use it.
Cloud Armor key features are:
Benefit from DDoS protection and WAF at Google scale
Detect and mitigate attacks against your Cloud Load Balancing workloads
Adaptive Protection (Preview) ML-based mechanism to help detect and block Layer 7 DDoS attacks
Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud
WAF is a set of web application firewall rules that you can configure to protect your resources. Rules are written in a CEL language so have a look at this document to help you understand how they work.
Adaptive protection
helps you protect your Google Cloud applications, websites, and services against L7 distributed denial-of-service (DDoS) attacks such as HTTP floods and other high-frequency layer 7 (application-level) malicious activity. Adaptive Protection builds machine-learning models that do the following:
Detect and alert on anomalous activity
Generate a signature describing the potential attack
Generate a custom Google Cloud Armor WAF rule to block the signature
Last but not least - what is OWASP ?
OWASP stands for the Open Web Application Security Project, an online community that produces articles, methodologies, documentation, tools, and technologies in the field of web application security.
The Top 10 OWASP vulnerabilities in 2021 are:
Injection
Broken authentication
Sensitive data exposure
XML external entities (XXE)
Broken access control
Security misconfigurations
Cross site scripting (XSS)
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging and monitoring
Combining this together Cloud armomor gives you a wide array of tools to protect your infrastructure from anything you can think of - given you can understand WAF rules and master the skill of writing them.
You can also try to use Recaptcha Enterprise integrated with Cloud Armor to challenge all automated requests;
Google Cloud Armor provides effective management of automated clients' requests towards your backends through native integration with reCAPTCHA Enterprise. reCAPTCHA Enterprise uses advanced risk analysis techniques to distinguish between human users and automated clients.
With the integration, reCAPTCHA Enterprise issues an encrypted token that contains the reCAPTCHA Enterprise assessment and associated attributes about the risk associated with the request. Google Cloud Armor deciphers this token without an additional request/response to the reCAPTCHA Enterprise server. Based on the token attributes, Google Cloud Armor lets you allow, block, or redirect the incoming requests.
Here's an example of redirecting to reCAPTCHA:
You can redirect a request to reCAPTCHA Enterprise to assess the user and serve manual challenges if necessary, without any additional reCAPTCHA Enterprise implementation. When human users share the same signature (such as URL paths or other L7 signatures) as a bot or an abusive system, this action provides a way for them to prove they are human and gain access, rather than being blocked. Only users who pass the assessment can acquire an exemption cookie and gain access to your service.
I'm having some trouble setting uptime checks for some Cloud Run services that don't allow unauthenticated invocations.
For context, I'm using Cloud Endpoints + ESPv2 as an API gateway that's connected to a few Cloud Run services.
The ESPv2 container/API gateway allows unauthenticated invocations, but the underlying Cloud Run services do not (since requests to these backends flow via the API gateway).
Each Cloud Run service has an internal health check endpoint that I'd like to hit periodically via Cloud Monitoring uptime checks.
This serves the purpose of ensuring that my Cloud Run services are healthy, but also gives the added benefit of reduced cold boot times as the containers are kept 'warm'
However, since the protected Cloud Run services expect a valid authorisation header all of the requests from Cloud Monitoring fail with a 403.
From the Cloud Monitoring UI, it looks like you can only configure a static auth header, which won't work in this case. I need to be able to dynamically create an auth header per request sent from Cloud Monitoring.
I can see that Cloud Scheduler supports this already. I have a few internal endpoints on the Cloud Run services (that aren't exposed via the API gateway) that are hit via Cloud Scheduler, and I am able to configure an OIDC auth header on each request. Ideally, I'd be able to do the same with Cloud Monitoring.
I can see a few workarounds for this, but all of them are less than ideal:
Allow unauthenticated invocations for the underlying Cloud Run services. This will make my internal services publicly accessible and then I will have to worry about handling auth within each service.
Expose the internal endpoints via the API gateway/ESPv2. This is effectively the same as the previous workaround.
Expose the internal endpoints via the API gateway/ESPv2 AND configure some sort of auth. This sort of works but at the time of writing the only auth methods supported by ESPv2 are API Keys and JWT. JWT is already out of the question but I guess an API key would work. Again, this requires a bit of set up which I'd rather avoid if possible.
Would appreciate any thought/advice on this.
Thanks!
This simple solution may work on your use case as it is easier to just use a TCP uptime check on port 443:
Create your own Cloud Run service using https://cloud.google.com/run/docs/quickstarts/prebuilt-deploy.
Create a new uptime check on TCP port 443 Cloud Run URL.
Wait a couple of minutes.
Location results: All locations passed
Virginia OK
Oregon OK
Iowa OK
Belgium OK
Singapore OK
Sao Paulo OK
I would also like to advise that Cloud Run is a Google fully managed product and it has a 99.95 % monthly up time SLA, with no recent incidents in the past few months, but proactively monitoring this on your end is a very good thing too.
How can I enable/disable APIs/Services in Google Cloud Project via Restful APIs or python?
For example, I want to enable following API/Service in a project.
https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=
You can programmatically enable or disable a GCP service using the Service Usage API. There are also methods for batch operations and querying service state. See the link below to the documentation.
https://cloud.google.com/service-usage/docs/reference/rest/v1/services