Google Cloud Armor

Google Cloud Armor is a security service that Google Cloud Platform (GCP) provides to protect web applications and services from various types of cyber threats, such as distributed denial of service (DDoS) attacks and application-layer attacks. Google Cloud Armor includes a Web Application Firewall (WAF) as one of its features. A Web Application Firewall is designed to protect web applications from various security threats, such as SQL injection, cross-site scripting (XSS), and other malicious activities targeting web applications. Traceable's integration with Google Cloud Armor WAF supports the following two types of rules:

• IP range rules

• Threat actor

The following is a high-level integration diagram:

Make a note of the following points regarding threat actor and IP range blocking:

• Threat actor - Any status change of threat actor on the Traceable Platform is propagated to Cloud Armor. For example, if Traceable detects a threat actor and changes it to a deny state, then the requests from this threat actor can be blocked using Cloud Armor. Moreover, if you make any changes, for example, adding a threat actor to allowlist or resolving the status, then such changes are reflected in Cloud Armor in a few minutes.

• IP-range blocking - If you configure any custom rules to enforce blocking or allow action to be executed through Cloud Armor.

Traceable recommends going through allow list conditions before creating any IP-range rules. For more information, see IP address allowlist.

Configuration

Google Cloud Armor WAF is driven by security policy. A security policy is a set of rules that define how traffic should be handled by the Web Application Firewall (WAF) and other security features. Security policies allow you to specify criteria and actions to protect your web applications from various attacks and security threats.

To integrate Traceable with Google Cloud Armor, make sure that you have already created a security policy for Traceable in Google Cloud Armor. This security policy is used to integrate Traceable with Cloud Armor. You can read the following two articles for more information on Google's security policy and how to configure the policy:

• Security policy overview

• Configure security policies

Information required from Cloud Armor security policy

Make a note of the following from Google’s security policy:

• Name of the security policy.

• Whether the policy is regional or global.

• The policy can be a Backend security policy or an Edge security policy.

• The configured response code.

Roles required

Following is a list of roles that are required for the integration:

• compute.securityPolicies.get

• compute.securityPolicies.list

• compute.securityPolicies.use

• compute.securityPolicies.update

• compute.securityPolicies.delete

• compute.backendServices.setSecurityPolicies

• compute.regionSecurityPolicies.create

• compute.regionSecurityPolicies.delete

• compute.regionSecurityPolicies.get

• compute.regionSecurityPolicies.list

• compute.regionSecurityPolicies.update

Configurations in Traceable

Navigate to Integrations → WAF → Google Cloud Armor card and click on Configure to complete the configuration steps.

Configure the following values:

• Integration name - Provide a name for the integration.

• Description - Describe this integration.

• Environments - You can choose one or more Traceable environments to integrate Cloud Armor.

• Google Cloud Armor Project ID - Every Google project has a unique project ID assigned to it. Configure that project ID in this field.

• Service account key - A service account key, also known as a JSON key file or a service account key file, is a file that contains the credentials and information needed to authenticate a service account in the Google Cloud Platform (GCP). This key file is typically provided in JSON format and includes a private key, allowing the service account to prove its identity and access GCP resources. For more information on how to create a service account key, see Create Service Account Key. Make sure that the service account key is created with roles mentioned in the Roles Required section.

• Policy name - Provide the name you configured in the Cloud Armor security policy.

• Policy type - The type of policy that you configured in Cloud Armor security policy. A policy can be:

  • Global security policy

  • Regional security policy - If the security policy is regional, then provide the region also. This should exactly match your configuration in Cloud Armor.

• Blocking action response code - Select the response code from the drop-down list. This should match the response code you configured in the security policy in Cloud Armor.

Click on Test Connection to test the connection. Only after a successful connection is the Save button enabled.

Note the following points with respect to the integration:

• Traceable assigns a priority to each rule. Make sure that this priority is not changed in Cloud Armor security policy.

• If you are creating an IP range rule in Traceable, then there is a limit of 10 IP addresses in a single rule. If you have more than 10 IP addresses in a rule, the first 10 IP addresses are considered, and the rest are ignored.

• If you delete the integration, the security policy in Cloud Armor gets deleted. However, if you do not wish the policy to be deleted, do not add compute.securityPolicies.delete role to the service account key. However, if your security policy is attached to a target, for example, a virtual load balancer, the policy would not be deleted.

Upon successful integration, you will see the Traceable-created rules as part of your Google Cloud Armor security policy.