Solved: Cloud Armor - How to restrict IP if it triggered a...

StevenSu · 12-04-2024 05:52 PM

Hi all,

We have a Armor policy to return 403 if it triggers OWASP signature. However, in addition, we want to block or add rate limit on the IP if it triggered this OWASP rule.

Do you have any idea on my requirement?

Thank you!

alexmoore

One way could be to log the Cloud Armor event and then configure a Cloud Logging sink to push events to pub/sub and then use that event to trigger a simple Cloud Run function with some code to capture the source IP from the log entry and add/update a rule for that IP.

Keep in mind quotas for Cloud Armor policies: https://cloud.google.com/armor/quotas

And Pricing: https://cloud.google.com/armor/pricing/

Hope that helps,

Alex

View solution in original post

alexmoore

One way could be to log the Cloud Armor event and then configure a Cloud Logging sink to push events to pub/sub and then use that event to trigger a simple Cloud Run function with some code to capture the source IP from the log entry and add/update a rule for that IP.

Keep in mind quotas for Cloud Armor policies: https://cloud.google.com/armor/quotas

And Pricing: https://cloud.google.com/armor/pricing/

Hope that helps,

Alex

StevenSu

Thanks Alex for the explanation! So in shorts, it could not be implemented simply within Armor but need additional service's help.

Steven

StevenSu

Thanks so much for the reply.

Cloud Armor - How to restrict IP if it triggered another Armor policy (with action to return 403) ?