google-cloud-platformgoogle-kubernetes-enginenginx-ingressgoogle-cloud-armorgoogle-cloud-network-load-balancer

Does External Passthrough Network LoadBalancer supports BackendConfig Configuration from GKE?


I have deployed the Nginx Controller via External Passthrough LoadBalancer in GCP. I want to attach a Cloud Armor Security Policy to the LoadBalancer. According to the BackendConfig documentation it looks like it only support HTTP LoadBalancers configured via Ingress resource. What I want to get confirm is if I add the cloud.google.com/backend-config to the Nginx Controller service will it attach to the Cloud Armor Security Policy I have configured?

I have tried this but the backend service doesn't seem to take an effect.


Solution

  • External passthrough Network Load Balancers are not proxies and GKE ingresses use proxy-based HTTPS Load balancer. Currently, Cloud Armor can only be integrated with the HTTP(S) Load Balancer. It allows you to apply security policies directly to your load balancer, effectively protecting all applications served behind it.

    Google Cloud Armor protects your applications and websites against denial of service and web attacks. Since GKE Ingresses use proxy-based Google Cloud HTTP(s) Load Balancers, protection against L3 and L4 DDos attacks is enabled by default.

    Applications can be also protected with Layer7 filtering by using Google Cloud Armor security policies. Once Google Cloud Armor security policy is configured, it can be used to protect services associated with a given ingress. Google Cloud Armor supports advanced network DDoS protection for external passthrough Network Load Balancers. For more information, see Configure advanced network DDoS protection.

    You can refer to the Github documentation for setting up GKE Ingress with Google Cloud Armor protection.

    EDIT:

    You can use Cloud Armor to filter source IPs on an external passthrough load balancer. Cloud Armor allows you to protect your web applications and APIs from various threats, including IP-based attacks. You can create Cloud Armor security policy and define rules to filter incoming traffic based on source IP addresses, IP ranges and other attributes. Now apply and configure the cloud Armor security policies to the load balancer.