GCPcloud~30 mins

Cloud Armor for DDoS and WAF in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Cloud Armor for DDoS and WAF

📖 Scenario: You are managing a website hosted on Google Cloud Platform (GCP). You want to protect your website from attacks like Distributed Denial of Service (DDoS) and block malicious traffic using a Web Application Firewall (WAF).Google Cloud Armor helps you create security policies to protect your site.

🎯 Goal: Build a Google Cloud Armor security policy that blocks traffic from a specific IP address and enables a basic WAF rule to protect your website.

📋 What You'll Learn

Create a Cloud Armor security policy named my-security-policy

Add a rule to block traffic from IP address 203.0.113.5

Add a WAF rule to enable the OWASP_CRS rule set with default action deny

Attach the security policy to a backend service named my-backend-service

💡 Why This Matters

🌍 Real World

Protecting websites and applications from malicious traffic and attacks is critical for uptime and security. Cloud Armor provides scalable protection on Google Cloud.

💼 Career

Cloud security engineers and cloud architects use Cloud Armor to secure services and meet compliance requirements.

Progress0 / 4 steps

Create the initial Cloud Armor security policy

Create a Cloud Armor security policy named my-security-policy using the gcloud command line.

GCP

# Use gcloud command to create the security policy
# Your code here

Need a hint?

Use the gcloud compute security-policies create command with the name my-security-policy.

Add a rule to block traffic from a specific IP address

Add a rule to the my-security-policy that blocks traffic from IP address 203.0.113.5 with priority 1000.

GCP

gcloud compute security-policies create my-security-policy --description="Security policy to protect my website"
# Add a rule to block IP 203.0.113.5
# Your code here

Need a hint?

Use gcloud compute security-policies rules create with priority 1000, the IP match expression, and deny action.

Add a WAF rule set to the security policy

Add a WAF rule set to my-security-policy enabling the OWASP_CRS rule set with default action deny and priority 2000.

GCP

gcloud compute security-policies create my-security-policy --description="Security policy to protect my website"
gcloud compute security-policies rules create 1000 --security-policy=my-security-policy --expression="origin.ip == '203.0.113.5'" --action=deny --description="Block traffic from IP 203.0.113.5"
# Add WAF rule set OWASP_CRS with deny action
# Your code here

Need a hint?

Use gcloud compute security-policies rules create with priority 2000, --expression="evaluatePreconfiguredWAF('OWASP_CRS')", and --action="deny(403)".

Attach the security policy to the backend service

Attach the my-security-policy to the backend service named my-backend-service using the gcloud command.

GCP

gcloud compute security-policies create my-security-policy --description="Security policy to protect my website"
gcloud compute security-policies rules create 1000 --security-policy=my-security-policy --expression="origin.ip == '203.0.113.5'" --action=deny --description="Block traffic from IP 203.0.113.5"
gcloud compute security-policies rules create 2000 --security-policy=my-security-policy --expression="evaluatePreconfiguredWAF('OWASP_CRS')" --action="deny(403)" --description="Enable OWASP CRS WAF rule set"
# Attach the security policy to backend service my-backend-service
# Your code here

Need a hint?

Use gcloud compute backend-services update my-backend-service --security-policy=my-security-policy --global to attach the policy.