Global external Application Load Balancer IP Block List

Question

We use the new Google Cloud Global external Application Load Balancer in combination with Cloud Armor and Cloud Run.

Our public price APIs are target of automated crawler requests, so we collected a lot of bad IP adresses (10.000 and counting) and want to block them on the network level before they reach our Cloud Run instances.

I browsed the documentation but i didn't find a possiblity to create a block list and add it to the load balancer or cloud armor. Has anybody done something similar or can point me in the right direction?

Answer 1

Google Cloud Armor provides several features that can help you:

• Good/normal bots typically have headers that identify themselves. You can create Cloud Armor rules that block based on the HTTP User-agent header. examples
• Cloud Armor supports vendor-crafted aka named IP blacklists. Those lists are maintained for you and focus on the most dangerous actors.
• Cloud Armor supports IP allow/deny rules. You can create your own rules to block traffic. link Remember, rules require processing power which can slow down network traffic. Rules also cost money. The most efficient rules deny blocks of IP addresses (CIDR).
• Cloud Armor has preconfigured security policies that protect you from harmful actions. I typically deploy around 10 of these policies. link

Trying to maintain your own IP blacklist is an exercise in futility. The cost to constantly monitor and update your address list will consume many hours. Balance what your time is worth versus the service costs for that traffic.

• IP addresses for hosts are constantly changing. Bad actors constantly change the IP address blocks they come from.
• If you have a public Internet-facing service you will have constant traffic probing your IP address.

Cloud Run is designed to support authorization. That is the security model you should deploy. No other solution will solve your problem as efficiently and cost-effectively.

My advice is to forget about blocking traffic. Unless a specific endpoint is attacking your services, there is almost no benefit for the time and cost to monitor and manage the billions of network hosts that are on the Internet. 99% of the traffic is harmless. The 1% that is dangerous is smart enough to get around your blacklist rules. If you rely upon blacklists, it will take me less than 5 minutes of effort to bypass them. Deploy authorization instead.