This lab will guide you through the process of creating a Cloud Armor policy, which will be used to protect against a simulated distributed denial of service (DDoS) attack.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Set up your load balanced application
Set up your load balanced application
- Open Cloud Shell
- Enter the following command to download and run a script that will automatically build your or load balanced application, along with
ddos-attack
instance
gsutil cp gs://acg-gcp-labs-resources/network-engineer/cloud-armor-lab-setup.sh . && source cloud-armor-lab-setup.sh
- After waiting about 5 minutes, access frontend IP address (provided at end of script) to access load balanced application webpage.
- Be sure to copy/paste frontend IP address (or write it down) as we will need to refer to it later.
- Begin simulated DDoS attack
- From the web console, go to the top left menu — Compute Engine
- SSH into
ddos-attack
instance - Enter the below command to open 1000 concurrent connections to the application.
- Substitute your frontend IP address for
(your-frontend-ip)
- SSH into
ab -n 10000000 -c 1000 http://(your-frontend-ip)/
- Allow the command to run, and go back to your web console.
- From the web console, go to the top left menu — Compute Engine
- View load balancer backend traffic
After running the Now that our attack is underway, let’s check on how our load balancer is handling the flood of traffic.
- Wait a few minutes for your
ddos-attack
instance to generate traffic and have metrics created - Go to your load balancer page by going to the top left menu – Network Services – Load Balancing
- Select the Backends tab
- Select
http-backend
- You should be able to view metrics of backend traffic distribution. If you refresh your page every few minutes, the backend distribution will shift between regions as one region becomes overwhelemed, causing the load balancer to redistributed traffic to the other region
- Wait a few minutes for your
- Create a Cloud Armor policy to deny traffic from our `ddos-attack` instance
- Go to Compute Engine, and copy the external IP address of our
ddos-attack
instance - From the web console top left menu, go to Network Security – Cloud Armor
- Create a policy
- Name the policy ‘ddos-block’
- Set Default rule action to Allow
- Click Next Step
- Click Add rule
- In the ‘Match’ field, paste the external IP address of your
ddos-attack
instance - Set Action to Deny
- Set Deny status to 403 (Forbidden)
- Set Priority to 1000
- Click Done
- Click Next Step
- Click Add Target
- Under Type, select Load balancer backend service (should be default)
- Under Target, select http-backend
- Click Done
- Click Create Policy
- Go to Compute Engine, and copy the external IP address of our
- View logs and results
- Wait a few minutes for new logs to generate
- In the Cloud Armor menu, select your `ddos-block’ policy
- Select the Logs tab
- Click View policy logs, which should open a new tab in Cloud Logging for your HTTP Load Balancer logs
- Click the Jump to now button to jump to the latest records.
- Expand a recent record (should be in an error state), then select Expand all on the right side.
- Confirm that the logged external IP matches your
ddos-attack
instance
- Confirm that the logged external IP matches your
- Under the field jsonPayload, there should be a sub-field for enforcedSecurityPolicy. If you do not see this field. Wait a few more minutes, then click the Jump to now again to jump to latest records.
- View enforcedSecurityPolicy fields. It should provide confirmation that the traffic request from your instance was denied due to the ‘ddos-block’ policy.
- Go back to your load balancer backend and confirm that traffic requests have been reduced.