Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Configure edge security policies for load balancer backend services

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudLoadBalancing-007

Ensure that the backend services associated with your Google Cloud load balancers are protected with edge security policies provided by the Cloud Armor service in order to shield your backend services from a range of potential attacks. Edge security policies let you control access to your cloud resources at the Google Cloud Platform (GCP) network edge.

This rule resolution is part of the Conformity solution.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

In Google Cloud, a Cloud Armor security policy is a collection of customizable security configurations that can be applied to your backend services at network edge. This type of policy, also known as edge security policy, can effectively filtering out malicious traffic before it reaches your backend servers. This proactive measure offers several benefits, including alleviating the load on your backend servers, enhancing response times for end-users, and safeguarding your backend services from common attacks.

Audit

To determine if your load balancer backend services are protected with edge security policies, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Load balancing console available at https://console.cloud.google.com/net-services/loadbalancing.

04 Select the Load balancers tab and click on the name (link) of the load balancer that you want to examine.

05 Select the Details tab and examine the backend service associated with the load balancer, listed in the Backend section. Under Backend services, choose Show advanced and check the Edge security policy attribute value. If Edge security policy is set to None, there is no edge security policy configured for the backend service associated with the selected load balancer, therefore, your Google Cloud load balancer is not protected against attacks with Cloud Armor.

06 Repeat steps no. 4 and 5 for each load balancer available within the selected GCP project.

07 Repeat steps no. 2 – 6 for each project deployed within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

cloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute url-maps list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name of each load balancer (identified by an URL map) created for the selected GCP project: 

gcloud compute url-maps list
	--project cc-project5-stack-123123
	--format="table(name)"

04 The command output should return the names of the existing load balancers: 

NAME
cc-project5-web-load-balancer
cc-project5-int-load-balancer

05 Run compute url-maps describe command (Windows/macOS/Linux) with the name of the GCP load balancer that you want to examine as the identifier parameter and custom output filters to describe the resource URL of the backend service associated with the selected load balancer: 

gcloud compute url-maps describe cc-project5-web-load-balancer
	--format="value(defaultService)"

06 The command output should return the requested resource URL: 

https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service

07 Run compute backend-services describe command (Windows/macOS/Linux) with the URL of the associated backend service that you want to examine as identifier parameter and custom output filtering to describe the edge security policy configured for the selected backend service: 

gcloud compute backend-services describe https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service
	--format="json(edgeSecurityPolicy)"

08 The command output should return the name of the edge security policy configured for the load balancer backed service: 

null

If the compute backend-services describe command output returns null, as shown in the example above, there is no edge security policy configured for the backend service associated with the selected load balancer, therefore, your Google Cloud load balancer is not protected against threats with Cloud Armor.

09 Repeat steps no. 5 – 8 for each load balancer created for the selected GCP project.

10 Repeat steps no. 3 – 9 for each project deployed in your Google Cloud Platform (GCP) account.

Remediation / Resolution

To ensure that the backend services associated with your Google Cloud load balancers are protected with Cloud Armor edge security policies, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Armor policies listing page available at https://console.cloud.google.com/net-security/securitypolicies/list.

04 Select the Located in this project tab, choose Create policy, and perform the following actions to create a new edge security policy:

  1. For Configure policy, provide a name and a description for your new security policy, select Edge security policy for the Policy type, set Scope to Global, and select a default rule action. Choose Next step to continue the setup.
  2. (Optional) For Add more rules (optional), choose Add a rule, and define one or more security policy rules based on your application requirements. Choose Next step to continue.
  3. For Apply policy to targets (optional), choose Add target, select Backend service (external application load balancer) from the Type 1 dropdown list, and choose the name of your associated backend service from the Backend service 1 dropdown list. Select Done.
  4. Choose Create policy to create your new Cloud Armor edge security policy and apply it to the backend service associated with your load balancer.

05 Repeat step no. 4 to create and configure more edge security policies for your Google Cloud load balancers.

06 Repeat steps no. 2 – 5 for each project available within your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run compute security-policies create command (Windows/macOS/Linux) to create a new Cloud Armor edge security policy for your Google Cloud load balancers: 

gcloud compute security-policies create mobile-clients-policy
	--description "Edge security policy for trusted mobile users"

02 The command output should return the URL of the new security policy: 

Created [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/securityPolicies/mobile-clients-policy].
NAME: mobile-clients-policy

03 Run compute security-policies rules update command (Windows/macOS/Linux) to update the default rule configured for the new security policy in order to deny all traffic: 

gcloud compute security-policies rules update 2147483647
	--security-policy mobile-clients-policy
	--action "deny-404"

04 The command output should return the URL of the updated security policy: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/securityPolicies/mobile-clients-policy].

05 Run compute security-policies rules create command (Windows/macOS/Linux) to define one or more security policy rules based on your application requirements: 

gcloud compute security-policies rules create 1000
	--security-policy mobile-clients-policy
	--description "allow traffic from 10.0.15.0/24"
	--src-ip-ranges "10.0.15.0/24"
	--action "allow"

06 The command output should return the URL of the updated security policy: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/securityPolicies/mobile-clients-policy].

07 Run compute backend-services update command (Windows/macOS/Linux) to attach the new edge security policy to the backend service associated with your Google Cloud load balancer: 

gcloud compute backend-services update cc-project5-backend-service
	--security-policy mobile-clients-policy

08 The command output should return the URL of the updated backend service: 

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-backend-service].

09 Repeat steps no. 1 – 8 to create and configure more edge security policies for your Google Cloud load balancers.

10 Repeat steps no. 1 – 9 for each project deployed in your Google Cloud Platform (GCP) account.

References

Publication date May 25, 2023

Related CloudLoadBalancing rules