Google Cloud Armor setup for non-default web port

Lets assume we have an external web application hosted in Google cloud. Our web application has custom module running on port which is different than our standard HTTPS port 443. As the application must be exposed on Internet we need to make sure we can protect it as much as possible. For that reason we are going to use google’s web application firewall, Google Cloud Armor.

In this post we will create all required things to setup the scenario and make appropriate configuration. Steps we are going to do are the following:

  1. Configure VM used as web application server
  2. Create instance group for the VM – later used in backend service of the Load Balancer
  3. Configure Health Check for the Load Balancer
  4. Create Load Balancer
  5. Create Google Cloud Armor policy

All above steps are needed so we can have Google Cloud Armor working. If you are wondering why here is the clue. Cloud armor target must be load balancer, To create load balancer you need health check to make sure VMs are online. Backend service of the load balancer must be an instance group.

  1. Configuring VM

Configuration of VM in GCP is easy. Go to Compute Engine -> VM instances to create one. For our purpose we are going to use basic VM with lowest shared core so we don’t pay a lot. It will be important to have an external IP address for the VM so we can access the web server. Under Network interface, External IP field make sure you have selected “Ephemeral” or create IP address for your VM. This will be the public IP address of the VM.

Click on Create and the VM will be created. The VM will be started immediately and it will look like this:

Once we have the VM running we can click on SSH to connect to the VM and setup our test web server who will server as web application. We will create simple index.html in one directory and run web server pointing to that file. To start simple python web server running on port 8888 we can use the following command

python3 -m http.server 8888

This is what our VM index.html file and web server setup looks like, plus successful access log to that web site.

To summarise we have created VM in GCP with a public IP and we have configured web server to run on port 8888. Access is successful as shown in our browser request.

2. Create instance group

We will need to create instance group from our existing terminal-ovh VM we have already created. For that purpose we need to go to Compute Engine -> Instance group and click on create instance group. On the left side select New unmanaged instance group, set name for your instance group, select the region where our previously created VM is deployed in our case is europe-west3-c and then select the VM under VM instances and click Create.

3. Health check setup

Go to Compute Engine -> Health Checks and click on create health check. We can setup a name and set everything to default. This health check will be use to monitor if our VM is up and running. Default settings are fine for the purpose of this setup.

When health check is created is important for us to setup some firewall rules. Google is using probes to check if the VMs are online. Probes are using and ranges. For that reason we will create Ingress firewall rule on port 80 based on out health check configuration. Firewall rule will look like this:

4. Load Balancer

Last step that we need before configuring Google Cloud Armor policy is to setup the Load Balancer. We are going to create HTTP(S) load balancer. In GPC to go Network services -> Load balancing and under HTTP(S) Load Balancing click on Start configuration. First option is to select the type and in our case will be From Internet to my VMs.

Select name for the load balancer and continue on configuring the 3 steps of the HTTP(S) load balancer:

  • backend configuration
  • host and path rules
  • front end configuration

Under backend configuration we will need to create new backend service. This backend service type will be instance group, the same group we have created before. It is important to set port number for the instance group. In our case we are going to use port number 8888. This is how the new backend service looks like:

Before creating it we will need to also link our health check service. Once linked we can click on create.

Host and path rules are not required for our scenario so we will leave it blank and continue forward with our front end configuration.

Front end configuration of the load balancer will replace the direct public IP address of the VM. We are going to use this public IP address to access our web server once it is created. Select name for the front end and we can leave everything to default at this step.

Click on done and we can review our load balancer configuration which looks like this:

Once the load balancer is created we are able to review the front end configuration and see the public IP address.

If we want to access our web application now, instead to use the public IP of the web server we can use the load balancer front end IP address.

With this simple load balancer configuration we succeed to route our public traffic from the load balancer to our server on non-default port, in our case 8888. Accessing our site now using load balancer public IP we will be routed to our webpage site on port 8888.

Load balancer settings can be use to direct different traffic based on your needs. For example if on our webserver we have site under /HrSite/ directory running on port 8443 we can easily create new backend service for port 8443 and in our Host and Path rules in Load Balancer configuration we can add this directory and link it with our 8443 backend service.

5. Google Cloud Armor

Nothing is secure now if we don’t have configured our Google Cloud Armor policy. Search for Cloud Armor in the search bar and click on Create policy.

In the first section write your Cloud Armor policy name, select your default rule action, in our case as we want to protect our side rule action will be Deny and from our deny status we can select whatever we prefer. Under second section for a test we will not put any allow IPs now and for our policy target we will select our previously configured backend service in our Load Balancer. We can click on create policy and our Google Cloud Armor policy will be created.

It can take up to 5 minutes for the Cloud Armor policy to be applied. Once that time is passed we can try to reach our web site and see the output. Because we don’t have any allow rule in our Cloud Armor policy we should be block by the policy and see 403 Forbidden message.

Our website now is protected using Google Cloud Armor policy. We can go back to our Cloud Armor policy and add more rules where we will allow specific IPs to access our publicly exposed website. Make sure you set higher priority for your allow rules, wait 5 minutes and see if you can access your website.

By default Cloud Armor has pre configured rules that you can use to protect your site from SQL injection, Cross-site scripting … full list can be found here and about pricing details you can check this link