This lab will guide you through the process of creating a Cloud Armor policy, which will be used to protect against a simulated distributed denial-of-service (DDoS) attack.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Set Up Your Load Balanced Application
Open Cloud Shell.
Enter the following command to download and run a script that will automatically build your load balanced application, along with the
ddos-attackinstance:gsutil cp gs://acg-gcp-labs-resources/network-engineer/cloud-armor-lab-setup.sh . && source cloud-armor-lab-setup.shAfter waiting about 5 minutes, access the frontend IP address (provided at end of script) to access the load balanced application’s webpage.
Be sure to copy/paste the frontend IP address (or write it down) as you will need to refer to it later.
- Begin Simulated DDoS Attack
In the web console, select Compute Engine from the top-left menu.
- SSH into the
ddos-attackinstance. - Enter the following command to open 1000 concurrent connections to the application, substituting your frontend IP address for
<YOUR_FRONTEND_IP>:
ab -n 10000000 -c 1000 http://<YOUR_FRONTEND_IP>/- SSH into the
- Once the command has run, wait a few minutes for your
ddos-attackinstance to generate traffic and create metrics, and then return to the web console.
- View Load Balancer Backend Traffic
- Go to your load balancer page by selecting Network Services > Load Balancing in the top-left menu.
- Select the BACKENDS tab.
- Select http-backend.
- You should be able to view the metrics for the backend traffic distribution. If you refresh your page every few minutes, the backend distribution will shift between regions as one region becomes overwhelmed, causing the load balancer to redistribute traffic to the other region.
- Create a Cloud Armor Policy to Deny Traffic from the ‘ddos-attack’ Instance
- In Compute Engine, copy the external IP address of the
ddos-attackinstance. - In the web console, select Network Security > Cloud Armor in the top-left menu.
- Create a policy named block-ddos.
- Set the Default rule action to Allow.
- Click NEXT STEP.
- Click ADD RULE.
- In the Match field, paste the external IP address of the
ddos-attackinstance. - Set Action to Deny.
- Set Deny status to 403 (Forbidden).
- Set Priority to 1000.
- Click DONE.
- Click NEXT STEP.
- Click ADD TARGET.
- Under Type, select Load balancer backend service (should be the default).
- Under Target, select http-backend.
- Click CREATE POLICY.
- In Compute Engine, copy the external IP address of the
- View Logs and Results
- Wait a few minutes for new logs to generate.
- In the Cloud Armor menu, select your block-ddos policy.
- Select the LOGS tab.
- Click View policy logs, which should open Stackdriver Logging for your Cloud HTTP Load Balancer requests.
- Click the Jump to now button to jump to the latest records.
- Expand a recent record (should be in an error state), then click theExpand nested fields button.
- Confirm that the logged external IP matches the
ddos-attackinstance. - Under the field jsonPayload, there should be a sub-field for enforcedSecurityPolicy. If you do not see this field, wait a few more minutes, then click Jump to now again to jump to the latest records.
- View the enforcedSecurityPolicy field. It should provide confirmation that the traffic request from your instance was denied due to the
block-ddospolicy. - Go back to your load balancer backend and confirm that traffic requests have been reduced.
