How to Configure Google Cloud Armor as a Multi-Layer Firewall

< Back to Blog Home

Google Cloud Platform (GCP) & Google Cloud Armor

In a previous blog post, Understanding Google Cloud Platform (GCP) Concepts, we discussed the basics of the Google Cloud Platform (Identity and Access Management, Networking, Securing data) and how these core features and systems apply towards securing your cloud workloads.

In part two of this three-part series, will be covering how Google Cloud Armor works as a multi-layer firewall for your Google Cloud Platform resources. (Read about the other two Google Cloud Service Providers (CSPs): Stackdriver & Cloud Security Scanner.)

Google Cloud Armor Security Policies

To configure it, you must use Security Policies which are basically rules that allow or deny traffic from an IP or an IP range.

Google Cloud Armor security policies and IP deny lists and allow lists are available only for HTTP(S) Load Balancing. The HTTP, HTTPS, and HTTP/2 protocols are all supported.

IP Allow/Deny Lists Features:

• Associate a Google Cloud Armor security policy with one or more HTTP(S) Load Balancing backend services.
• Deny listing for IP address / CIDR provides the ability to block a source IP address or CIDR range from accessing HTTP(S) load balancers (blacklist).
• Allow listing for IP address / CIDR provides the ability to allow a source IP address or CIDR range to access HTTP(S) load balancers (whitelist).
• IPv4 and IPv6 addresses are supported in allow list and deny list rules.
• You can configure a deny rule to display a 403, 404, or 502 error code.
• When you configure multiple rules, you can designate the order in which the rules are evaluated.
• Ability to preview the effects of the rules in a security policy in Stackdriver logs without enforcing the actions in the rules.
• The Google Cloud Armor security policy name, matched rule priority, associated action, and related information are logged for HTTP(S) requests to your HTTP(S) load balancer.

Limitations

• Each project is limited to a maximum of 200 security rules across all Google Cloud Armor security policies.
• Each project is limited to a maximum of 10 Google Cloud Armor security policies.
• Each rule is limited to a maximum of 5 IP addresses or IP address ranges.
• There is a limit of 20,000 requests per second per project across all backends with a Google Cloud Armor security policy. Google Cloud Armor limits the volume of traffic that can be processed by all security policies on a per-project basis. Once the inbound request traffic volume (RPS) across all backends protected by a Google Cloud Armor security policy exceeds the limit, then inbound traffic covered by security policies will be throttled to be within the limit.

To learn more about Google Cloud Platforms, be sure to check out the other blog posts in the series: The 5 Key Features of Google Stackdriver & 5 Techniques to Avoid Unwanted Outcomes with Cloud Security Scanner.