-
Notifications
You must be signed in to change notification settings - Fork 378
/
Copy pathConfiguring Traffic Blocklisting with Google Cloud Armor
99 lines (87 loc) · 3.84 KB
/
Configuring Traffic Blocklisting with Google Cloud Armor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/bin/bash
# Step 1: Set the default zone from project metadata
echo "Setting the default zone from project metadata..."
export ZONE=$(gcloud compute project-info describe \
--format="value(commonInstanceMetadata.items[google-compute-default-zone])")
# Step 2: Create a VM instance named "access-test"
echo "Creating a VM instance named 'access-test'..."
gcloud compute instances create access-test --project=$DEVSHELL_PROJECT_ID --zone=$ZONE --machine-type=e2-medium --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=default --metadata=enable-oslogin=true --maintenance-policy=MIGRATE --provisioning-model=STANDARD --scopes=https://www.googleapis.com/auth/devstorage.read_only,https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring.write,https://www.googleapis.com/auth/service.management.readonly,https://www.googleapis.com/auth/servicecontrol,https://www.googleapis.com/auth/trace.append --create-disk=auto-delete=yes,boot=yes,device-name=access-test,image=projects/debian-cloud/global/images/debian-12-bookworm-v20241210,mode=rw,size=10,type=pd-balanced --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=goog-ec-src=vm_add-gcloud --reservation-affinity=any
# Step 3: Get the external IP address of the newly created VM
echo "Fetching the external IP address of the 'access-test' VM..."
export VM_EXT_IP=$(gcloud compute instances describe access-test \
--zone=$ZONE \
--format='get(networkInterfaces[0].accessConfigs[0].natIP)')
# Step 4: Create a security policy named "blocklist-access-test"
echo "Creating a security policy named 'blocklist-access-test'..."
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://compute.googleapis.com/compute/v1/projects/$DEVSHELL_PROJECT_ID/global/securityPolicies \
-d "{
\"adaptiveProtectionConfig\": {
\"layer7DdosDefenseConfig\": {
\"enable\": false
}
},
\"description\": \"\",
\"name\": \"blocklist-access-test\",
\"rules\": [
{
\"action\": \"deny(404)\",
\"description\": \"\",
\"match\": {
\"config\": {
\"srcIpRanges\": [
\"$VM_EXT_IP\"
]
},
\"versionedExpr\": \"SRC_IPS_V1\"
},
\"preview\": false,
\"priority\": 1000
},
{
\"action\": \"allow\",
\"description\": \"Default rule, higher priority overrides it\",
\"match\": {
\"config\": {
\"srcIpRanges\": [
\"*\"
]
},
\"versionedExpr\": \"SRC_IPS_V1\"
},
\"preview\": false,
\"priority\": 2147483647
}
],
\"type\": \"CLOUD_ARMOR\"
}"
sleep 30
# Step 5: Attach the security policy to the backend service "web-backend"
echo "Attaching the 'blocklist-access-test' security policy to the 'web-backend' service..."
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
https://compute.googleapis.com/compute/v1/projects/$DEVSHELL_PROJECT_ID/global/backendServices/web-backend/setSecurityPolicy \
-d "{
\"securityPolicy\": \"projects/$DEVSHELL_PROJECT_ID/global/securityPolicies/blocklist-access-test\"
}"
echo
echo -e "\n" # Adding one blank line
cd
remove_files() {
# Loop through all files in the current directory
for file in *; do
# Check if the file name starts with "gsp", "arc", or "shell"
if [[ "$file" == gsp* || "$file" == arc* || "$file" == shell* ]]; then
# Check if it's a regular file (not a directory)
if [[ -f "$file" ]]; then
# Remove the file and echo the file name
rm "$file"
echo "File removed: $file"
fi
fi
done
}
remove_files