I configured a Cloud Armor policy however when I try to apply the policy to a new target the '+Add Target' button is disabled.
I understand that you can't apply the policy to a new target.
This should be related to your HTTP(S) Load Balancer, because Cloud Armor is used in conjunction with HTTP(S) Load balancer. See the below link for more details:
https://cloud.google.com/armor/docs/security-policy-concepts
Once you have a healthy load balancer, it should be available to be added to your cloud armor policy. Also, make sure that the Load balancer is not using CDN there are some limitations. Cloud Armor Security Policies and IP blacklist/whitelist are not supported for Cloud CDN in the Beta release. If you try to associate a Cloud Armor Security Policy for a backend service and Cloud CDN is enabled, the config will be rejected. Targets are Google Cloud Platform resources that you want to control access to. For the Beta release, you can only use non-CDN HTTP(S) load balancer backend services as targets.
Also, you can try to apply the policy using the gcloud command line tool, and check if it is working or not. See the link below for more insight on gcloud command line tool.
https://cloud.google.com/kubernetes-engine/docs/how-to/cloud-armor-backendconfig
Related
I am working on setting up a load balancer and cloud armor. When setting up cloud armor, the load balancer backend service does not show up as a target. So unable to choose a target for the cloud armor policy.
I have followed all the steps as per this:
https://cloud.google.com/iap/docs/load-balancer-howto#mig
The steps are:
create a instance group (has 2 VMs, autoscaling off, all VM in same region, zone)
added health check to the instance group (http, status shows green/healthy)
create a regional load balancer - https on the front end, http for backend services
In cloud armor, in "Apply policy to new target" - in the drop down, do NOT see the backend service associated with the load balancer that was created successfully. so unable to select a target.
any help on the above would be much appreciated.
#laks :
As of today, Google Cloud Armor is supported only for Global Loadbalancers.
Check the load balancer you're using, I strongly feel that you're using a regional load balancer, that's why it's not showing you on the targets.
Prefer using GLB and that should be the fix.
Thanks
Manoj Pachigolla
I could not find any documentation mentioning how to attach armor with NEG, the terraform syntax.
We are creating armor as Security policy. i managed to find an example connecting it with Project but could not find how to connect it to NEG.
You don't attach a Cloud Armor policy to a NEG but to a Load Balancer backend. You can find this option in te google_compute_backend_service. This backend also contains your NEG.
And you put this backend in a forwarding rule.
Quoting https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling
While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are certain limitations associated with this capability, especially with Cloud Run (fully managed) and App Engine. Users who have access to the default URLs assigned to these services by Google Cloud can bypass the load balancer and go directly to the service URLs, circumventing any configured Google Cloud Armor security policies.
What would be the best way to avoid the bypass of Cloud Armor by an attacker targetting the Cloud Run URL (*.run.app)?
Normally I would make Cloud Run only invocable by a service account but Cloud Load Balancer can't use service accounts to call Cloud Run. An alternative is to configure Cloud Load Balancer to use a token in a header and configure the app running in Cloud Run to only accept calls with the correct header/token but I would prefer not to have to do that in the app.
You should restrict the ingress of your service to "Internal and Load Balancing" to disable access from the default domain and only allow traffic to come from Cloud Armor:
gcloud beta run services update SERVICE --ingress internal-and-cloud-load-balancing
I'm trying to create a multi-region Google Cloud Run setup and can't find any documentation.
My goal is creating an Google HTTPS Load Balancer and map the targets as my 3 Google Cloud Run instances.
https://lb.test.com/ >
eu.test.com > Europe Cloud Run
na.test.com > North America Cloud Run
sa.test.com > South America Cloud Run
Problem is, I can't find the option of mapping my HTTPS load balancer into my Cloud Run instances.
If this is not possible yet, can I use an external DNS LB such as AWS Route 53?
Thanks!
Mapping load balancer to cloud run is possible now. This can be achieved by creating NEGs (Network Endpoint Groups) which points to a cloud run service.
I have implemented this today, and came across this thread. To find out how to implement this follow instructions in
https://cloud.google.com/load-balancing/docs/negs/setting-up-serverless-negs#creating_the
I have recently published a guide on this on our official documentation: http://cloud.google.com/run/docs/multiple-regions
The solution involves adding the newly introduced "Serverless Network Endpoint Groups" as backends to your load balancer.
I do not think you can use a Google HTTPS Load Balancer to make cloud run service multiregional (HTTPS Load Balancer supports only compute engine vm as backend). Your question was very interesting and I did some research.
The only useful documents I found about this topic:
Running Multi-Region Apps on Google Cloud (Cloud Next '19).
Going Multi-Regional in Google Cloud Platform
They are explaining how you can make a cloud service multiregional using Apigee (some proxy servers HA Proxy, Nginx).
I read the hipaa doc from google, i'm no sure is the google cloud load balancer hipaa complince. google cloud hipaa
google says all the networks and regions are hipaa complince, i think this includes this products:
VPC
cloud DNS
cloud interconnect
cloud cdn
cloud load balancer
is this correct or i'm wrong?
I think it is because kubernetes engine uses cloud load balancer.
According to the documentation that you provided and in here network is covered by HIPAA.
"The Google Cloud BAA covers GCP’s entire infrastructure (all regions, all zones, all network paths, all points of presence)"
But lets not forget that you need to do your bit by securing the environment and applications that run on top of GCP, hence why it's called a shared security model.