Protecting Google Cloud VPC Resources with Cloud Armor

45 minutes
  • 5 Learning Objectives

About this Hands-on Lab

This lab will guide you through the process of creating a Cloud Armor policy, which will be used to protect against a simulated distributed denial of service (DDoS) attack.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set up your load balanced application

Set up your load balanced application

  • Open Cloud Shell
  • Enter the following command to download and run a script that will automatically build your or load balanced application, along with ddos-attack instance

gsutil cp gs://acg-gcp-labs-resources/network-engineer/cloud-armor-lab-setup.sh . && source cloud-armor-lab-setup.sh

  • After waiting about 5 minutes, access frontend IP address (provided at end of script) to access load balanced application webpage.
  • Be sure to copy/paste frontend IP address (or write it down) as we will need to refer to it later.
Begin simulated DDoS attack
  • From the web console, go to the top left menu — Compute Engine
    • SSH into ddos-attack instance
    • Enter the below command to open 1000 concurrent connections to the application.
    • Substitute your frontend IP address for (your-frontend-ip)

ab -n 10000000 -c 1000 http://(your-frontend-ip)/

  • Allow the command to run, and go back to your web console.
View load balancer backend traffic

After running the Now that our attack is underway, let’s check on how our load balancer is handling the flood of traffic.

  • Wait a few minutes for your ddos-attack instance to generate traffic and have metrics created
  • Go to your load balancer page by going to the top left menu – Network Services – Load Balancing
  • Select the Backends tab
  • Select http-backend
  • You should be able to view metrics of backend traffic distribution. If you refresh your page every few minutes, the backend distribution will shift between regions as one region becomes overwhelemed, causing the load balancer to redistributed traffic to the other region
Create a Cloud Armor policy to deny traffic from our `ddos-attack` instance
  • Go to Compute Engine, and copy the external IP address of our ddos-attack instance
  • From the web console top left menu, go to Network Security – Cloud Armor
  • Create a policy
  • Name the policy ‘ddos-block’
  • Set Default rule action to Allow
  • Click Next Step
  • Click Add rule
  • In the ‘Match’ field, paste the external IP address of your ddos-attack instance
  • Set Action to Deny
  • Set Deny status to 403 (Forbidden)
  • Set Priority to 1000
  • Click Done
  • Click Next Step
  • Click Add Target
  • Under Type, select Load balancer backend service (should be default)
  • Under Target, select http-backend
  • Click Done
  • Click Create Policy
View logs and results
  • Wait a few minutes for new logs to generate
  • In the Cloud Armor menu, select your `ddos-block’ policy
  • Select the Logs tab
  • Click View policy logs, which should open a new tab in Cloud Logging for your HTTP Load Balancer logs
  • Click the Jump to now button to jump to the latest records.
  • Expand a recent record (should be in an error state), then select Expand all on the right side.
    • Confirm that the logged external IP matches your ddos-attack instance
  • Under the field jsonPayload, there should be a sub-field for enforcedSecurityPolicy. If you do not see this field. Wait a few more minutes, then click the Jump to now again to jump to latest records.
  • View enforcedSecurityPolicy fields. It should provide confirmation that the traffic request from your instance was denied due to the ‘ddos-block’ policy.
  • Go back to your load balancer backend and confirm that traffic requests have been reduced.

Additional Resources

Cloud Armor is an amazing service that is capable of blocking malicous distributed denial of service (DDoS) attacks at its source, along with many other use case scenarios. In this lab, we will use a pre-created script to create a load balanced application. We will then attack our application with a flood of traffic and use Cloud Armor to block the malicious traffic, enabling proper operation of our website.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!