I have a compute instance in GCP. I have been tasked with
The application deployed is black boxed for me, but it receives HTTPS and WS requests on multiple different ports (5 ports). It handles verification and validation of SSL certificates by itself.
Based on initial research, i found that GCP provides Cloud Armor for rate limiting and DDoS protection. However, I am facing certain challenges.
I want to ensure what should be the optimal strategy to apply the above rules on instance, and if this is even feasible on GCP currently. What can be used to apply these rules on the instances.
According to this Official Google document,
Cloud Armor rate limiting feature is designated currently only for Global external HTTP(S) load balancer/Global external HTTP(S) load balancer (classic) and external TCP proxy load balancer/external SSL proxy load balancer, not Network Load Balancer.
A Feature Request has been raised for using Cloud Armor along with Network Load Balancer and the Product Engineering Team is working on this request.
As a workaround:
You can utilize VPC firewall rules at network or subnet level to control inbound and outbound traffic; by doing this only trusted IP addresses will be allowed and it will rate-limit suspicious or malicious traffic.
Refer this Official GCP document for configuring VPC Firewall Rules for solving your issue.
You can implement VPC service Controls for creating security perimeters around your resources in a Virtual Private Cloud (VPC) and ensure strict enforcement of access controls to prevent the transfer of malicious content.
Refer this Official GCP document for configuring VPC Service Controls for solving your issue.
You can use Cloud IAP for confirming user identity and imposing secure access regulations.
Refer this Official GCP document for configuring Cloud IAP for solving your issue.