Google Cloud Armor Integration

Google Cloud Armor is a security service that Google Cloud Platform (GCP) provides to protect web applications and services from various types of cyber threats, such as distributed denial of service (DDoS) attacks and application-layer attacks. Google Cloud Armor includes a Web Application Firewall (WAF) as one of its features. A WAF protects web applications from various security threats, such as SQL injection, cross-site scripting (XSS), and other malicious activities targeting web applications.

What will you learn in this topic?

By the end of this topic, you will be able to:

• Understand Traceable threat management rules.

• Understand the prerequisites for Google Cloud Armor integration.

• Learn the Google Cloud Armor integration with Traceable.

• Understand the custom signature rules supported operations.

Integration Overview

Traceable's integration with Google Cloud Armor WAF supports the following types of rules:

• Malicious sources rule

• Threat Actors’ status change

• Custom signature rules

The following is a high-level integration diagram:

This section provides high-level information on integrating Google Cloud Armor (GCA) WAF with your environment and managing threats.

1. Integration Setup — After deploying the agent, you can retrieve the credentials and configure the Google Cloud Armor integration. To do so, you must complete the following steps:

   1. Prerequisites — Log in to your Google Cloud Armor account and fetch the required credentials to configure the integration. For more information, see Before you begin.

   2. Integrations —  Once you have the credentials from the above step, you can navigate to the Traceable platform and configure the integration. For more information, see Add new Google Cloud Armor integration.

2. Threat Management — After setting up the integration, you can set up rules to allow, block, or monitor IP addresses according to your requirements. Traceable supports the following rules for the Google Cloud Armor integration:

   1. Threat Actors’ status change — Traceable allows you to keep track of any status change of a threat actor and communicate it to Google Cloud Armor. For example, if Traceable detects a threat actor and changes it to a deny state, then the requests from this threat actor can be blocked using Google Cloud Armor. For more information, see Threat actors.

   2. Malicious sources rule — Traceable allows you to configure any custom rules to enforce blocking or allow action to be executed through Google Cloud Armor. For more information, see Custom policy. Traceable recommends going through the allow list conditions before creating any IP-range rules. For more information, see IP address allowlist.

   3. Custom signature rules — Traceable allows you to set up custom signature rules to block incoming requests from a specific URL by matching the corresponding endpoints. For more information, see Custom Signature.

Before you begin

Make a note of the following before you proceed with Google Cloud Armor’s integration with Traceable.

• Google Cloud Armor security policy — A security policy is a set of rules that defines what action needs to be taken under which conditions, how traffic should be handled by the Web Application Firewall (WAF), and other security features. Security policies allow you to specify criteria and actions to protect your web applications from various attacks and security threats.

  • Make sure you have the following from Google Cloud Armor security policy:

    • The Name of the security policy, for example, traceableai.

    • Whether the  Scope of the policy is Regional or Global.

    • The configured Response code.

• Roles required — The following is a list of roles needed for the integration:

  • compute.securityPolicies.get

  • compute.securityPolicies.list

  • compute.securityPolicies.use

  • compute.securityPolicies.update

  • compute.securityPolicies.delete

  • compute.backendServices.setSecurityPolicies

  • compute.regionSecurityPolicies.create

  • compute.regionSecurityPolicies.delete

  • compute.regionSecurityPolicies.get

  • compute.regionSecurityPolicies.list

  • compute.regionSecurityPolicies.update

    For more information on Google Cloud Armor security policy, see Configure Cloud Armor security policies.

• Google Cloud Armor Project ID — Every Google project has a unique project ID assigned to it.

• Service account key — A Service Account Key, also known as the JSON key, is a credentials file that allows authentication of a service account within Google Cloud Platform (GCP). It is required for enabling secure, programmatic access to GCP services and is essential for configuring a Google Cloud integration. For more information, see Create Service Account Key. Make sure that the service account key is created with the roles mentioned in the above section.

Add new Google Cloud Armor integration

To add a new Google Cloud Armor integration, navigate to the Integrations page from the bottom left corner of your Traceable account, and do one of the following:

• Search for Google Cloud Armor in the search bar.

• Navigate to WAF → Google Cloud Armor.

Click Configure on the Google Cloud Armor tile and complete the following steps in the Add New Google Cloud Armor Integration window:

1. Specify an Integration Name, for example, Google Cloud Armor integration.

2. (Optional) Specify a description, such as GCA Traceable integration.

3. Select one or more Traceable Environments from the Environments drop-down.

4. Specify the Google Cloud Armor Project ID fetched above in the Before you begin section.

5. Specify the Service account key fetched above in the Before you begin section.

6. Specify the Policy Name configured in the Google Cloud Armor security policy, such as traceableai.

7. Specify the Policy type you configured in the Google Cloud Armor security policy above in the Before you begin section.

8. Specify the Blocking Action Response Code from the drop-down list. This should match the response code you configured in the Google Cloud Armor security policy above in the Before you begin section, for example, 403.

9. Click Test Connection. The Save button is enabled only after Traceable validates a successful connection.

Note

• Traceable assigns a priority to each rule. Make sure that this priority is not changed in Google Cloud Armor security policy.

• If you are creating an Malicious source rule in Traceable, then there is a limit of 10 IP addresses in a single rule. If you have more than 10 IP addresses in a rule, the first 10 IP addresses are considered, and the rest are ignored.

• If you delete the integration, the security policy in Google Cloud Armor gets deleted. However, if you do not wish the policy to be deleted, do not add compute.securityPolicies.delete role to the service account key. However, if your security policy is attached to a target, for example, a virtual load balancer, the policy would not be deleted.

• X-Forwarded-For (XFF) and X-Real-IP are not supported, only public IPs are supported.

Upon successful integration, you can see the Traceable-created rules as part of your Google Cloud Armor security policy.

Custom signature rules support matrix

Custom signature rules allow you to define precise security policies in Google Cloud Armor using the Common Expression Language (CEL). These rules evaluate the specific request attributes,  such as IP addresses, headers, URIs, and HTTP methods, to help protect your applications from unwanted or malicious traffic. For more information on attributes and expressions, see Google Cloud Armor Language Support. The Support Matrix table below describes the attributes and the supported operations to create custom signature rules in Traceable.

Note

• Google Cloud Armor has limitations on the maximum number of expressions that can be used to create a rule. For more information, see Google Cloud Armor Limits.

• Google Cloud Armor supports a maximum of five sub expressions for each rule with a custom expression.