We use the new Google Cloud Global external Application Load Balancer in combination with Cloud Armor and Cloud Run.
Our public price APIs are target of automated crawler requests, so we collected a lot of bad IP adresses (10.000 and counting) and want to block them on the network level before they reach our Cloud Run instances.
I browsed the documentation but i didn't find a possiblity to create a block list and add it to the load balancer or cloud armor. Has anybody done something similar or can point me in the right direction?
Google Cloud Armor provides several features that can help you:
User-agent
header. examplesTrying to maintain your own IP blacklist is an exercise in futility. The cost to constantly monitor and update your address list will consume many hours. Balance what your time is worth versus the service costs for that traffic.
Cloud Run is designed to support authorization. That is the security model you should deploy. No other solution will solve your problem as efficiently and cost-effectively.
My advice is to forget about blocking traffic. Unless a specific endpoint is attacking your services, there is almost no benefit for the time and cost to monitor and manage the billions of network hosts that are on the Internet. 99% of the traffic is harmless. The 1% that is dangerous is smart enough to get around your blacklist rules. If you rely upon blacklists, it will take me less than 5 minutes of effort to bypass them. Deploy authorization instead.