GCPcloud~5 mins

Cloud Armor for DDoS and WAF in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Cloud Armor helps protect your websites and apps from bad internet traffic like attacks that try to overload your servers or sneak in harmful requests. It acts like a security guard that blocks unwanted visitors before they reach your services.

When you want to stop large attacks that try to crash your website by sending too many requests at once.

When you need to block traffic from certain countries or IP addresses that cause trouble.

When you want to filter out harmful web requests that try to exploit your app's weaknesses.

When you want to create rules that allow only safe traffic to reach your backend services.

When you want to monitor and log suspicious traffic to understand attack patterns.

Config File - cloudarmor-policy.yaml

cloudarmor-policy.yaml

apiVersion: compute.googleapis.com/v1
kind: SecurityPolicy
name: example-cloudarmor-policy
rules:
- action: deny(403)
  description: "Block traffic from specific IP"
  priority: 1000
  match:
    versionedExpr: SRC_IPS_V1
    config:
      srcIpRanges:
      - 203.0.113.0/24
- action: allow
  description: "Allow all other traffic"
  priority: 2147483647
  match:
    versionedExpr: ""
    config: {}

This file defines a Cloud Armor security policy named example-cloudarmor-policy.

The first rule blocks all traffic coming from the IP range 203.0.113.0/24 by denying with HTTP 403.

The second rule allows all other traffic by default.

Rules are checked in order of priority, with lower numbers checked first.

Commands

This command creates a new Cloud Armor security policy named example-cloudarmor-policy with a description.

Terminal

gcloud compute security-policies create example-cloudarmor-policy --description="Block bad IPs and allow others"

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/example-cloudarmor-policy].

→

--description - Adds a human-readable description to the policy.

This command adds a rule to the policy to block traffic from the IP range 203.0.113.0/24 by returning HTTP 403.

Terminal

gcloud compute security-policies rules create 1000 --security-policy=example-cloudarmor-policy --action=deny-403 --src-ip-ranges=203.0.113.0/24 --description="Block traffic from specific IP range"

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/example-cloudarmor-policy/rules/1000].

→

--action - Specifies the action to take on matching traffic, here deny with HTTP 403.

→

--src-ip-ranges - Defines the source IP addresses to match.

This command adds a default rule to allow all other traffic not matched by previous rules.

Terminal

gcloud compute security-policies rules create 2147483647 --security-policy=example-cloudarmor-policy --action=allow --description="Allow all other traffic"

Expected OutputExpected

Created [https://www.googleapis.com/compute/v1/projects/my-project/global/securityPolicies/example-cloudarmor-policy/rules/2147483647].

→

--action - Allows traffic that does not match earlier rules.

This command lists all Cloud Armor security policies in the project to verify creation.

Terminal

gcloud compute security-policies list

Expected OutputExpected

NAME DESCRIPTION RULES example-cloudarmor-policy Block bad IPs and allow others 2

This command shows details of the example-cloudarmor-policy including its rules and actions.

Terminal

gcloud compute security-policies describe example-cloudarmor-policy

Expected OutputExpected

name: example-cloudarmor-policy description: Block bad IPs and allow others rules: - action: deny(403) description: Block traffic from specific IP range priority: 1000 match: config: srcIpRanges: - 203.0.113.0/24 versionedExpr: SRC_IPS_V1 - action: allow description: Allow all other traffic priority: 2147483647 match: config: {} versionedExpr: ""

Key Concept

If you remember nothing else from this pattern, remember: Cloud Armor lets you create rules that block or allow traffic based on IPs or request details to protect your apps from attacks.

Common Mistakes

Not setting a default allow rule after deny rules

Without a default allow rule, all traffic not matching deny rules is blocked by default, which can block legitimate users.

Always add a low priority rule that allows all other traffic to avoid accidental blocking.

Using overlapping IP ranges in multiple rules without clear priorities

Rules are evaluated by priority; overlapping ranges can cause unexpected blocking or allowing if priorities are not set correctly.

Assign clear priorities and avoid overlapping IP ranges or carefully order rules to ensure correct behavior.

Not verifying the policy after creation

Without verification, you might miss errors or misconfigurations that leave your app unprotected or inaccessible.

Use 'gcloud compute security-policies describe' and 'list' commands to check your policy and rules.

Summary

Create a Cloud Armor security policy to define traffic filtering rules.

Add rules with priorities to block bad IPs and allow safe traffic.

Verify the policy and rules to ensure correct protection is applied.