How to use Google Cloud Armor with to whitelist only a few IPs on GKE?

Question

we're trying to block all non-cluster traffic except a few external IP addresses based on this Cloud Armor walk through.

The GKE cluster recognizes the rules but it's still blocking the allowed IP. Here are the steps followed:

1) Create the policy + rules

gcloud beta compute security-policies create allow-team-only \
    --description "Cloud Armor deny non-team IPs"


gcloud beta compute security-policies rules create 1000 \
    --security-policy allow-team-only \
    --description "Deny traffic from 0.0.0.0/0." \
    --src-ip-ranges "0.0.0.0/0" \
    --action "deny-404"


gcloud beta compute security-policies rules create 999 \
    --security-policy allow-team-only \
    --description "Allow traffic from <IP ADDRESS>." \
    --src-ip-ranges "<IP ADDRESS>/32" \
    --action "allow"    

2) Apply the rules to our services, which are on port 8080

metadata:
  annotations:
    beta.cloud.google.com/backend-config: '{"ports": {"8080":"allow-team-only"}}'  

What am I overlooking?

Thanks!

Answer 1

As per your policy and rules, you have created two policies one of them is to deny all traffic. For this rule, I have two observation

1) You have created with the number 1000, and as it denying everything any future addition of rules with a number with 1000+ will not work. As all traffic will match 0.0.0.0/0 and 1000+ number rules will not be checked. 2) As per GCP, you could have used the default rule and could change the action to deny (fail-close).

As per GCP documentation on Cloud Armor Security Policies

Each Cloud Armor Security Policy contains a default rule that is matched if none of the higher priority rules are matched or if there are no other rules in the policy. The default rule is automatically assigned a priority of 2147483647 (max int32) and it is always present in the Cloud Armor Security Policy. The default rule cannot be deleted, but it can be modified. The default action for the default rule is allow (fail-open), but you can change the action to deny (fail-close).

I also noticed your scenario is very similar to the first use case "Use case 1: Limiting access to the GCP HTTP(S) load balancer" described in the same document you have shared.

As per the document, to create this configuration, follow these steps:

1) Create a Cloud Armor Security Policy.
2) In the Cloud Armor Security Policy, add a rule that whitelists as the first rule. This rule has the description “allow ”.
3) Modify the default rule in the policy from an allow rule to a deny rule. The default rule governs traffic that does not match any of the preceding rules. It is the last rule in the policy. Changing the rule from allow to deny blocks all traffic that does not originate in the whitelisted .
4) Associate this policy with the HTTP(S) load balancer's backend service.

Answer 2

For those struggling with this, check your logs first, and then confirm that your IP address doesn't rotate. I was on a public network that had rotating IPs, which I did not know about.