Menu
I am operating several VM instances on Google Cloud Platform (GCP). They are behind an HTTP(S) load balancer.
In order to restrict the access based on the origin IP address, I configured the Nginx on each VM instance as follows:
server {
listen 80;
listen [::]:80;
server_name www.example.com;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
set_real_ip_from 130.211.0.0/22; # GCP load balancers
set_real_ip_from 35.191.0.0/16; # GCP load balancers
...
}
I found the IP ranges 130.211.0.0/22 and 35.191.0.0/16 on the Firewall rules section of "HTTP(S) Load Balancing Concepts" document page.
But, in the actual operation, I noticed that accesses could come from another IP range 35.190.0.0/17.
So, I consulted a section of the Google Compute Engine FAQ and I learned that I can get the list of all public IP ranges of GCP.
This list is very long and seems to include the IP ranges that are not used by the load balancers.
I have two questions:
352
I ran into this exact same issue while testing a deployment on Google Kubernetes Engine. I found out that if you assign a static IP address to your load balancer, that is the additional IP address that traffic will be forwarded from. Static IP addresses are always out of the listed range for Google's load balancers since they can be reserved for purposes other than load balancing. In my case I whitelisted the range that Google listed along with my static IP and everything is working fine; traffic doesn't get forwarded from any other IP addresses.
Whitelisting the entire range of Google's IP addresses might open a security hole where someone will be able to spoof their IP on your site. If someone uses a Google Compute Engine instance that is assigned one of Google's IPs that you whitelisted, they will be able to spoof their IP by changing the forwarded-for headers.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
