DEVHIDE
Login Or Sign up

How to implement rate based throttling per client determined by IP, in Google Cloud Armor?

265 Views Asked by At

I have created a rule and attached it to a policy that throttles requests based on the rate limit I set:

rules=[
        gcp.compute.SecurityPolicyRuleArgs(
            action="throttle",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=['*'],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=110,
            description='Rate based throttling for security policies. Currently, in preview mode.',
            preview=True,
            rate_limit_options=gcp.compute.SecurityPolicyRuleRateLimitOptionsArgs(
                conform_action="allow",
                exceed_action="deny(429)",
                rate_limit_threshold=gcp.compute.SecurityPolicyRuleRateLimitOptionsRateLimitThresholdArgs(
                    count=100,
                    interval_sec=60
                )
            )
        ),
        gcp.compute.SecurityPolicyRuleArgs(
            action="allow",
            description="default rule",
            match=gcp.compute.SecurityPolicyRuleMatchArgs(
                config=gcp.compute.SecurityPolicyRuleMatchConfigArgs(
                    src_ip_ranges=["*"],
                ),
                versioned_expr="SRC_IPS_V1",
            ),
            priority=2147483647,
        ),
    ]

In the official documentation, it is mentioned that I can have rate limiting per client determined by IP, however, there are no examples and the only obvious way to achieve this seems to be mentioning IPs manually.

From the Pulumi documentation, it seems that mentioning IP on enforceOnKey would have this rule issued based on each IP.

Is there a way to throttle just the IP that reaches the limit?

security google-cloud-platform google-cloud-armor
Original Q&A
1

There are 1 best solutions below

4
Kiran Kotturi On

You have configured src_ip_ranges=['*'], which means all the IPs will be following the rules which are attached to the security policy.Instead, you can use a single IP or group of IPs by mentioning CIDR range.

The IP addresses or CIDR Ranges can be used as "x.x.x.x/y" where y can be /32 for a single ip or /24 for 254 IPs.

Also,there are some examples related to IP mentioned in the official document which will be useful to you in updating the rules in security policy accordingly.

Alternatively, you can use cookies and apply "inIpRange(origin.ip. 'x.x.x.x/y') && has(request.headers['cookie']) && request.headers['cookie'].contains('cookie\_name=cookie\_value')". Here, the cookie may be a unique reCAPTCHA value . For more information related to attributes and operations you can refer to the attached documentations respectively.

Hope the above information is useful to you.

Related Questions in SECURITY

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-CLOUD-ARMOR

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.