I could not find any documentation mentioning how to attach armor with NEG, the terraform syntax.
We are creating armor as Security policy. i managed to find an example connecting it with Project but could not find how to connect it to NEG.
You don't attach a Cloud Armor policy to a NEG but to a Load Balancer backend. You can find this option in te google_compute_backend_service. This backend also contains your NEG.
And you put this backend in a forwarding rule.
Related
I am working on setting up a load balancer and cloud armor. When setting up cloud armor, the load balancer backend service does not show up as a target. So unable to choose a target for the cloud armor policy.
I have followed all the steps as per this:
https://cloud.google.com/iap/docs/load-balancer-howto#mig
The steps are:
create a instance group (has 2 VMs, autoscaling off, all VM in same region, zone)
added health check to the instance group (http, status shows green/healthy)
create a regional load balancer - https on the front end, http for backend services
In cloud armor, in "Apply policy to new target" - in the drop down, do NOT see the backend service associated with the load balancer that was created successfully. so unable to select a target.
any help on the above would be much appreciated.
#laks :
As of today, Google Cloud Armor is supported only for Global Loadbalancers.
Check the load balancer you're using, I strongly feel that you're using a regional load balancer, that's why it's not showing you on the targets.
Prefer using GLB and that should be the fix.
Thanks
Manoj Pachigolla
We want to secure our cloud function ( Http ) so added ingress setting to allow internal traffic
after adding we unable to communicate from Service in GKE cluster to this cloud function
Getting 403 error
I am not able to understand because they are under same project
what are the things i need to configure to access my cloud function from microservice in GKE cluster
Can you please suggest what are the configurations needs to be taken care to secure the cloud function and successful connection between the microservice in GKE and cloud function?
Only traffic from VPC networks in the same project or the same VPC SC perimeter is allowed.
check that you cluster and could function are in the VPC by selecting the right VPC connector.
I have an API which is deployed in GKE and exposed via Cloud Endpoints with ESPv2. I have secured the API using API key as of now and its available via internet. Is there any possible way I can apply some firewall rules that the endpoint is available only from a certain network or range of IPs ?
You need to define an ingress with a global HTTPS load balancer in front of your ESPv2 service.
Then, you can activate Cloud Armor and set policies to filter the IPs and ranges that you want
I've been searching on google and keep getting referred to the VPC documentation https://cloud.google.com/vpc-service-controls/docs/set-up-private-connectivity but I don't think this will solve my problem. I'm trying to limit the IP address accessing my webhook function on GCP and I need to use API gateway (Apigee isn't an option at the moment for me). Any advice would be great!
If API Gateway isn't requirement, I propose you this solution:
Update the ingress control of your function to set it internal_and_cloud_load_balancing to allow only traffic from your VPCs and the load balancers
Then create a HTTPS external load balancer with a serverless NEG that point to your Cloud Functions
Add Cloud Armor policies on your Load Balancer to filter IP sources.
I configured a Cloud Armor policy however when I try to apply the policy to a new target the '+Add Target' button is disabled.
I understand that you can't apply the policy to a new target.
This should be related to your HTTP(S) Load Balancer, because Cloud Armor is used in conjunction with HTTP(S) Load balancer. See the below link for more details:
https://cloud.google.com/armor/docs/security-policy-concepts
Once you have a healthy load balancer, it should be available to be added to your cloud armor policy. Also, make sure that the Load balancer is not using CDN there are some limitations. Cloud Armor Security Policies and IP blacklist/whitelist are not supported for Cloud CDN in the Beta release. If you try to associate a Cloud Armor Security Policy for a backend service and Cloud CDN is enabled, the config will be rejected. Targets are Google Cloud Platform resources that you want to control access to. For the Beta release, you can only use non-CDN HTTP(S) load balancer backend services as targets.
Also, you can try to apply the policy using the gcloud command line tool, and check if it is working or not. See the link below for more insight on gcloud command line tool.
https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig