Protecting Google Cloud VPC Resources with Cloud Armor

45 minutes
  • 5 Learning Objectives

About this Hands-on Lab

This lab will guide you through the process of creating a Cloud Armor policy, which will be used to protect against a simulated distributed denial-of-service (DDoS) attack.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set Up Your Load Balanced Application
  • Open Cloud Shell.

  • Enter the following command to download and run a script that will automatically build your load balanced application, along with the ddos-attack instance:

    wget https://raw.githubusercontent.com/ACloudGuru-Resources/gcp-network-engineer/main/cloud-armor-lab-setup.sh && source cloud-armor-lab-setup.sh

  • After waiting about 5 minutes, access the frontend IP address (provided at end of script) to access the load balanced application’s webpage.

  • Be sure to copy/paste the frontend IP address (or write it down) as you will need to refer to it later.

Begin Simulated DDoS Attack
  • In the web console, select Compute Engine from the top-left menu.

    • SSH into the ddos-attack instance.
    • Enter the following command to open 1000 concurrent connections to the application, substituting your frontend IP address for <YOUR_FRONTEND_IP>:

    ab -n 10000000 -c 1000 http://<YOUR_FRONTEND_IP>/

  • Once the command has run, wait a few minutes for your ddos-attack instance to generate traffic and create metrics, and then return to the web console.
View Load Balancer Backend Traffic
  • Go to your load balancer page by selecting Network Services > Load Balancing in the top-left menu.
  • Select the BACKENDS tab.
  • Select http-backend.
  • You should be able to view the metrics for the backend traffic distribution. If you refresh your page every few minutes, the backend distribution will shift between regions as one region becomes overwhelmed, causing the load balancer to redistribute traffic to the other region.
Create a Cloud Armor Policy to Deny Traffic from the ‘ddos-attack’ Instance
  • In Compute Engine, copy the external IP address of the ddos-attack instance.
  • In the web console, select Network Security > Cloud Armor in the top-left menu.
  • Create a policy named block-ddos.
  • Set the Default rule action to Allow.
  • Click NEXT STEP.
  • Click ADD RULE.
  • In the Match field, paste the external IP address of the ddos-attack instance.
  • Set Action to Deny.
  • Set Deny status to 403 (Forbidden).
  • Set Priority to 1000.
  • Click DONE.
  • Click NEXT STEP.
  • Click ADD TARGET.
  • Under Type, select Load balancer backend service (should be the default).
  • Under Target, select http-backend.
  • Click CREATE POLICY.
View Logs and Results
  • Wait a few minutes for new logs to generate.
  • In the Cloud Armor menu, select your block-ddos policy.
  • Select the LOGS tab.
  • Click View policy logs, which should open Stackdriver Logging for your Cloud HTTP Load Balancer requests.
  • Click the Jump to now button to jump to the latest records.
  • Expand a recent record (should be in an error state), then click theExpand nested fields button.
  • Confirm that the logged external IP matches the ddos-attack instance.
  • Under the field jsonPayload, there should be a sub-field for enforcedSecurityPolicy. If you do not see this field, wait a few more minutes, then click Jump to now again to jump to the latest records.
  • View the enforcedSecurityPolicy field. It should provide confirmation that the traffic request from your instance was denied due to the block-ddos policy.
  • Go back to your load balancer backend and confirm that traffic requests have been reduced.

Additional Resources

Cloud Armor is an amazing service that is capable of blocking malicious distributed denial-of-service (DDoS) attacks at its source, along with many other use case scenarios. In this lab, you will use a pre-created script to create a load balanced application. You will then attack your application with a flood of traffic and use Cloud Armor to block the malicious traffic, enabling proper operation of your website.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?