Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Protect API Gateway with Cloud Armor

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Google Cloud API Gateway is using Cloud Armor to protect your applications against common web exploits and DDoS attacks, ensuring API availability and data security.

Security

Cloud Armor protects applications and infrastructure from DDoS and other attacks (Layer 3/4 and 7) using Google's global network to filter malicious traffic at the network edge. Cloud Armor shields Google Cloud API Gateway by applying security policies at the edge, such as IP-based filtering, geo-restrictions, and DDoS mitigation. This ensures that malicious traffic is blocked before reaching your API Gateway, reducing the risk of exploitation, improving reliability, and safeguarding sensitive data. It's important for APIs to maintain secure access and mitigate threats while ensuring legitimate traffic flows uninterrupted.

Audit

To determine if API Gateway leverages Cloud Armor as a network security service, perform the following operations:

Checking for API Gateway protection with Cloud Armor using Google Cloud Management Console is not currently supported.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run api-gateway gateways list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID of each API Gateway created for the selected project: 

gcloud api-gateway gateways list
	--location=us-central1
	--project cc-web-project-123123
	--format="table(NAME)"

04 The command output should return the fully qualified identifier for each API Gateway: 

NAME: projects/cc-web-project-123123/locations/us-central1/gateways/tm-project5-api-gateway
NAME: projects/cc-web-project-123123/locations/us-central1/gateways/aqi-monitor-api-gateway

05 Run compute network-endpoint-groups list command (Windows/macOS/Linux) with the ID of the API Gateway that you want to examine as the identifier parameter and custom output filters to describe the URI of the serverless Network Endpoint Group (NEG) configured as the backend for the specified API Gateway. The serverless NEG is the key element linking the backend service to the API Gateway: 

gcloud beta compute network-endpoint-groups list
	--regions=us-central1
	--filter="serverlessDeployment:("resource": "tm-project5-api-gateway")"
	--format="value(selfLink)"

06 The command output should return the URI of the serverless NEG associated with the selected API Gateway. If the compute network-endpoint-groups list command output does not return an URI, the selected API Gateway is not associated with a serverless NEG and the Audit process ends here: 

https://www.googleapis.com/compute/beta/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-project5-neg

07 Run compute backend-services list command (Windows/macOS/Linux) with custom output filters to describe the name of each backend service provisioned for the selected GCP project, together with the URI of the Network Endpoint Group (NEG) configured as backend for the backend service: 

gcloud compute backend-services list
	--project cc-web-project-123123
	--format="table(name,backends[group])"

08 The command output should return the requested identifiers: 

NAME: tm-project5-backend-service
GROUP: ['https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-project5-neg']

NAME: tm-aqi-app-backend-service
GROUP: ['https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/regions/us-central1/networkEndpointGroups/tm-aqi-app-neg']

Cross-reference the data returned in step no. 6 with that returned in step no. 8 to determine the name of the backend service associated with the selected API Gateway.

09 Run compute backend-services describe command (Windows/macOS/Linux) with the name of the backend service associated with your API Gateway as the identifier parameter, to determine if the selected backend service is protected with Cloud Armor: 

gcloud compute backend-services describe tm-project5-backend-service
	--format="yaml(securityPolicy)"

10 The command output should return the Cloud Armor security policy configured for the selected backend service: 

null

If the compute backend-services describe command output returns null, as shown in the example above, there is no Cloud Armor security policy configured for the associated backend service. Therefore, Cloud Armor is not used to protect the selected API Gateway against common web exploits and DDoS attacks.

11 Repeat steps no. 5 - 10 for each API Gateway that you want to examine, created for the selected GCP project.

12 Repeat steps no. 3 – 11 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that your Google Cloud API Gateways are using Cloud Armor to protect your applications against common web exploits and DDoS attacks, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Network Security console available at https://console.cloud.google.com/net-security/.

04 In the left navigation panel, under Cloud Armor, select Cloud Armor policies.

05 Choose CREATE POLICY and perform the following actions to create a new Cloud Armor security policy for your API Gateway:

  1. For Configure policy, provide a name and a description to identify the new security policy, choose the appropriate policy type (i.e., Backend security policy), set the policy scope, and configure the default rule action. The default rule is the lowest priority rule that takes effect in case no other rule applies. Choose NEXT STEP to continue the setup process.
  2. For Add more rules (optional), choose ADD A RULE under Rules and perform the following steps to create a policy rule:
    1. For Description, enter a description for the new rule.
    2. For Condition, select the desired rule mode. To allow or deny traffic based on IP addresses or IP address ranges, choose Basic mode. To allow or deny traffic based on rule expressions, choose Advanced mode.
    3. For Match, provide the IP address/range to match or the expression to evaluate against incoming requests.
    4. For Action, select Allow or Deny to allow or deny traffic if the rule matches.
    5. For Priority, provide the rule's priority. This can be any positive integer from 0 to 2,147,483,646 inclusive.
    6. Choose SAVE CHANGE TO RULE to save the rule.
    7. Choose NEXT STEP to continue the setup.
  3. For Apply policy to targets (optional), choose ADD TARGET under Targets and select the backend service associated with your API Gateway. Use ADD TARGET to add as many targets as required. Targets are cloud resources that you want to control access to. Choose NEXT STEP to continue the setup process.
  4. (Optional) For Apply policy to targets (optional), choose whether to enable advanced features such as Adaptive Protection.
  5. Choose CREATE POLICY to deploy your new Cloud Armor security policy.

06 Repeat steps no. 2 – 5 for each GCP project deployed within your Google Cloud account.

Using GCP CLI

01 Run compute security-policies create command (Windows/macOS/Linux) to create a new Cloud Armor security policy for your API Gateway. Set the --type parameter to CLOUD_ARMOR to create a backend security policy: 

gcloud compute security-policies create tm-project5-sec-policy
	--region=us-central1
	--description="Cloud Armor Security Policy for API Gateway"
	--type=CLOUD_ARMOR

02 The command output should return the update operation status: 

Waiting for Security Policy [tm-project5-sec-policy] to be created... done.

03 Run compute security-policies rules create command (Windows/macOS/Linux) to create a new rule for your Cloud Armor security policy. As an example, the following command adds a DENY rule to the security policy specified by the --security-policy paramater, which blocks traffic from IPv4 address ranges 10.20.30.0/24 and 198.60.100.0/24 and has priority 100: 

gcloud compute security-policies rules create 100
	--security-policy tm-project5-sec-policy
	--description "Block Traffic from 10.20.30.0/24 and 198.60.100.0/24"
	--src-ip-ranges "10.20.30.0/24","198.60.100.0/24"
	--action "deny-403"

04 The command output should return the update operation status: 

Waiting for Security Policy Rule to be created for Security Policy [tm-project5-sec-policy]... done.

05 Run compute backend-services update command (Windows/macOS/Linux) with the name of the backend service associated with your API Gateway as the identifier parameter, to attach the Cloud Armor security policy created and configured in the previous steps to the selected backend service: 

gcloud compute backend-services update tm-project5-backend-service
	--security-policy tm-project5-sec-policy

06 The command output should return the URI of the updated resource: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-web-project-123123/global/backendServices/tm-project5-backend-service].

07 Repeat steps no. 5 and 6 for each associated backend service that you want to configure, available within the selected GCP project.

08 Repeat steps no. 1 – 7 for each GCP project deployed in your Google Cloud account.

References

Publication date Jan 16, 2025

Related APIGateway rules