{"id":19317690,"url":"https://github.com/queeniecplusplus/lb_armor","last_synced_at":"2026-03-02T13:33:54.727Z","repository":{"id":104588340,"uuid":"310447824","full_name":"QueenieCplusplus/LB_Armor","owner":"QueenieCplusplus","description":"LB \u0026 Security Policy","archived":false,"fork":false,"pushed_at":"2020-11-06T02:27:26.000Z","size":214,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-06T04:24:53.440Z","etag":null,"topics":["amor","lb"],"latest_commit_sha":null,"homepage":"https://github.com/QueenieCplusplus/QuickGoThru/blob/master/README.md#lb","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/QueenieCplusplus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-06T00:10:56.000Z","updated_at":"2020-11-06T02:27:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"f24c9658-14d8-4403-a732-288a4fe59337","html_url":"https://github.com/QueenieCplusplus/LB_Armor","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/QueenieCplusplus%2FLB_Armor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/QueenieCplusplus%2FLB_Armor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/QueenieCplusplus%2FLB_Armor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/QueenieCplusplus%2FLB_Armor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/QueenieCplusplus","download_url":"https://codeload.github.com/QueenieCplusplus/LB_Armor/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240420940,"owners_count":19798501,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amor","lb"],"created_at":"2024-11-10T01:15:55.040Z","updated_at":"2026-03-02T13:33:49.692Z","avatar_url":"https://github.com/QueenieCplusplus.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# LB \u0026 Armor Security Policy\n\nLB to forward User's req to the Backend Service that is closet to user.\n\n\n User \u003c------------ Amor ----- Proxy, LB ----- POP(point of presence, edge of Cloud) ------- FW ----------\u003e Service (Instance Group -\u003e Instance)\n\n\n![amor](https://cdn.qwiklabs.com/7wJtCqbfTFLwKCpOMzUSyPjVKBjUouWHbduOqMpfRiM%3D)\n\nGoogle Cloud HTTP(S) load balancing is implemented at the edge of Google's network in Google's points of presence (POP) around the world. User traffic directed to an HTTP(S) load balancer enters the POP closest to the user and is then load balanced over Google's global network to the closest backend that has sufficient capacity available.\n\nCloud Armor IP allowlist/denylist enable you to restrict or allow access to your HTTP(S) load balancer at the edge of the Google Cloud, as close as possible to the user and to malicious traffic. This prevents malicious users or traffic from consuming resources or entering your virtual private cloud (VPC) networks.\n\nIn this lab, you configure an HTTP Load Balancer with global backends, as shown in the diagram below. Then, you stress test the Load Balancer and denylist the stress test IP with Cloud Armor.\n\n\n# Core Steps:\n\n(1) setup FW rules (connection to Backend)\n\n(2) create GCE instance Templates\n\n(3) create GCE instance Group\n\n(4) check/explore External IP of the VM instance (part of the instance group in step 3)\n\n(5) config Backend Service for Load Balancer\n\n(6) config Frontend Service for Load Balancer\n\n(7) note the IPv4/IPv6 of the LB_IP (IP will be client IP, and Host.Location as InstanceGroupName.Zone)\n\n(8) make a VM to do test for the Load Balancer \n\n(9) monitor network flow from user(vm created in step 8 to backend service created in step 5)\n\n(10) stop Request Test to LB\n\n![armor](https://raw.githubusercontent.com/QueenieCplusplus/QuickGoThru/master/armor.jpg)\n\n(11) use Amor Security Policy for LB\n\n(12) test Amor\n\n------------------\n\n# GCE Instance Group \u0026 its Instance Templates\n\nfrom step 1\n\n\u003e config FW for Backend\n\n* 1.1, in cloud console, navigate to Network \u003e\u003e VPC \u003e\u003e FW\n\n![fw](https://cdn.qwiklabs.com/o3ZzeAWb50voTy3ENkYicuiDP9Wen8Sybx83FHz9XhY%3D)\n\n* 1.2, to create FW rule, and check rules for internal, RDP, SSH, ICMP, then config the value for the property.\n\n Property\t Value (type value or select option as specified)\n Name\t default-allow-health-check\n Network\t default\n Targets\t Specified target tags\n Target tags\t http-server\n Source filter\tIP Ranges\n Source IP ranges\t130.211.0.0/22, 35.191.0.0/16\n Protocols and ports\tSpecified protocols and ports, and then check tcp\n \n \n from step 2\n \n \u003e create GCE instance templates\n \n\n* 2.1, in cloud console, navigate to GCE \u003e\u003e instance template, type template's name, then click on the \"Mgmt \u0026 Disk \u0026 Network\", and click on \"managment\" tab.\n\n Key\t Value\n startup-script-url\tgs://cloud-training/gcpnet/httplb/startup.sh\n \n* tips \u0026 attentions, script below is for startup of the instance template, which is called as Metadata in console.\n \n #! /bin/bash\n\n apt-get update \n apt-get install -y apache2 php\n apt-get install -y wget\n cd /var/www/html\n rm index.html -f\n rm index.php -f\n wget https://storage.googleapis.com/cloud-training/gcpnet/httplb/index.php\n META_REGION_STRING=$(curl \"http://metadata.google.internal/computeMetadata/v1/instance/zone\" -H \"Metadata-Flavor: Google\")\n REGION=`echo \"$META_REGION_STRING\" | awk -F/ '{print $4}'`\n sed -i \"s|region-here|$REGION|\" index.php\n\n* 2.2, click on \"networking\" tab, to config its network properties, and wait for the instance template to be created.\n\n Property\t Value (type value or select option as specified)\n Network\t default\n Subnet\t default (us-east1)\n Network tags http-server\n\n * tips \u0026 attentions:\n \n The network tag http-server ensures that the HTTP and Health Check firewall rules apply to these instances template.\n\n* 2.3, copy its property to new instance template, and name it, then change its subnet.\n\n Now create another instance template for subnet-b by copying us-east1-template.\n \n For Network interfaces, select default (europe-west1) as the Subnet.\n\nfrom step 3:\n\n\u003e create GCE instance Group.\n\n* 3.1, in cloud console, navigate to GCE \u003e\u003e instance group.\n\n Property\t Value (type value or select option as specified)\n Name\t us-east1-mig[group name]\n Location\t Multiple zones\n Region\t us-east1\n Instance template\tus-east1-template [gce instance template name]\n Autoscaling \u003e Autoscaling metrics \u003e Metric type\tCPU utilization\n Target CPU utilization\t 80\n Minimum number of instances\t1\n Maximum number of instances\t5 (auto scale up depends on traffic performance)\n Cool-down period\t 45\n\n* tips \u0026 attentions:\n\nManaged instance groups offer Autoscaling capabilities that allow you to automatically add or remove instances from a managed instance group based on increases or decreases in load. \n\nAutoscaling helps your app gracefully handle increases in traffic and reduces cost when the need for resources is lower. You just define the autoscaling policy and the autoscaler performs automatic scaling based on the measured load.\n\n* 3.3, create another instance group, and name it europe-west1-mig, and use europe-west1-template.\n\n\nstart from step 4:\n\n\u003e create GCE instance using GCE instance template, and explore its External IP addr.\n\n* 4.1, in cloud console, navigate to GCE \u003e\u003e VM instance.\n\n Notice the instances that start with us-east1-mig and europe-west1-mig.\n\n These instances are part of the managed instance groups.\n \n And click on the External IP of the instance created.\n \n [output is Client IP and Hostname.Location as InsatanceGroupName.Zone]\n \n ![client ip](https://cdn.qwiklabs.com/cB4rkhddQchP1iTAc7xNeF5Bly34SwjtieR406NQM9w%3D)\n\n# Backend Service\n\nstart from step 5:\n\n\u003e LB config (Backend Service)\n\n* 5.1, in cloud console, navigate to Network \u003e\u003e LB\n\n Select From Internet to my VMs, and click Continue.\n\n Set the Name to http-lb [any name you like].\n\n* 5.2, then click on \"Backend Services Config\". For Backend services \u0026 backend buckets, click Create or select backend services \u0026 backend buckets, then click Backend services, and then click Create a backend service, and config its properties.\n\n Property\t Value (select option as specified)\n Name\t http-backend [LB's Backend Service Name]\n Instance group\tus-east1-mig\n Port numbers\t80\n Balancing mode\tRate\n Maximum RPS\t 50\n Capacity\t 100\n \n [output]\n \n ![LB's Backend Service](https://cdn.qwiklabs.com/4ak8cQih5SEtXSTrnspw0zooJZm3ZmBoBpEk3KZDz7o%3D)\n\n\n* tips \u0026 attentions:\n\nBackend services direct incoming traffic to one or more attached backends. Each backend is composed of an instance group and additional serving capacity metadata.\n\nThis configuration means that the load balancer attempts to keep each instance of us-east1-mig at or below 50 requests per second (RPS).\n\n* 5.3, then create a health check rule for this LB's Backend Service.\n\n\n Property\tValue (select option as specified)\n Name\thttp-health-check\n Protocol\tTCP\n Port\t80\n \n [output]\n \n ![](https://cdn.qwiklabs.com/O3aCrf4mUTpnJaZ6XlNAgyTYmfPkrJCw6diNUWvRTd0%3D)\n \n \n# Frontend Service\n \nstart from step 6:\n\n\u003e LB config (Frontend Service)\n\nThe host and path rules determine how your traffic will be directed. For example, you could direct video traffic to one backend and static traffic do another backend. (we pass it in this step.)\n\n* 6.1, click on \"frontend config\", and set up its properties, and leave all value as default.\n\n\n Property\tValue (type value or select option as specified)\n Protocol\tHTTP\n IP version\tIPv4\n IP address\tEphemeral\n Port\t80\n\n* 6.2, click on \"add frontend ip and port\", and leave all value as default.\n\n\n Property\tValue (type value or select option as specified)\n Protocol\tHTTP\n IP version\tIPv6\n IP address\tEphemeral\n Port\t80\n\n* tips \u0026 attentions:\n\nHTTP(S) load balancing supports both IPv4 and IPv6 addresses for client traffic. Client IPv6 requests are terminated at the global load balancing layer, then proxied over IPv4 to your backends.\n\n \n# Load Balancer\n\nstart from step 7:\n\n\u003e explore LB IP\n\n* 7.1, After Review and Finalize the Load Balancer, then click on \"Create\".\n\n ![review](https://cdn.qwiklabs.com/HYVSJ9uZjtwq%2BA8XqZTdafRPIQrtKZ2E6sfJuakiRFI%3D)\n \n* 7.2, Name the Load Balancer, and find its IP addr.Click on the name of the load balancer (http-lb).\nNote the IPv4 and IPv6 addresses of the load balancer for the next task. \nThey will be referred to as [LB_IP_v4] and [LB_IP_v6], respectively.\n\n* tips \u0026 attentions:\n\nIt might take up to 5 minutes to access the HTTP Load Balancer. In the meantime, you might get a 404 or 502 error. Keep trying until you see the page of one of the backends.\n\nDepending on your proximity to us-east1 and europe-west1, you traffic is either forwarded to a us-east1-mig or europe-west1-mig instance.\n\nIf you have a local IPv6 address, try the IPv6 address of the HTTP Load Balancer by navigating to http://[LB_IP_v6]. Make sure to replace [LB_IP_v6] with the IPv6 address of the load balancer.\n\nstart from step 8:\n\n\u003e To Do Test.\n\n* 8.1, create a new VM instance (we hereby set it to us-west), later on, we will connect it to Backend in us-east1 (location=zone) \u0026 europ-west1 (location=zone).\n\n Property\tValue (type value or select option as specified)\n Name\tsiege-vm\n Region\tus-west1\n Zone\tus-west1-c\n \n* tips \u0026 attentions:\n\nGiven that us-west1 is closer to us-east1 than to europe-west1, traffic should be forwarded only to us-east1-mig (unless the load is too high).\n\n* 8.2, For siege-vm, click SSH to launch a terminal and connect in cloud console.\n\n* 8.3, in cloud shell, type cmd line below.\n\n sudo apt-get -y install siege\n \n export LB_IP=[LB_IP_v4]\n \n siege -c 250 http://$LB_IP\n \n [output]\n \n New configuration template added to /home/cloudcurriculumdeveloper/.siege\n Run siege -C to view the current settings in that file\n [alert] Zip encoding disabled; siege requires zlib support to enable it: No such file or directory\n ** SIEGE 4.0.2\n ** Preparing 250 concurrent users for battle.\n The server is now under siege...\n\nstart from step 9:\n\n\u003e Monitor Network Flow for LB\n\n* 9.1, in cloud console, navigate to Network \u003e\u003e LB \u003e\u003e Backend \u003e\u003e [Backend Service Name].\n\n [output in UI]\n \n ![flow](https://cdn.qwiklabs.com/YsNXQ3Hvf12bu7zmL%2B4cxUeGO01%2B4uchVOnaVW1QcMc%3D)\n\nstart from step 10:\n\n\u003e Stop Req to LB\n\n* 10.1, Return to the SSH terminal of siege-vm, and press CTRL+C to stop siege.\n\n* 10.2, to explore External IP of the siege-vm.\nIn the Console, navigate to Navigation menu (mainmenu.png) \u003e Compute Engine \u003e VM instances.\nNote the External IP of the siege-vm. This will be referred to as [SIEGE_IP].\n\n\n# Armor, Securiy Policy Tool\n\nstart from step 11:\n\n\u003e Make usage of Armor for LB\n\n* 11.1, in cloud console, navigate to Network \u003e\u003e Security \u003e\u003e Cloud Armor, config it and add rule.\n\n Property\t Value (type value or select option as specified)\n Name\t denylist-siege\n Default rule action\tAllow\n\n* 11.2, add rule.\n\n Property\tValue (type value or select option as specified)\n Condition\tEnter the SIEGE_IP // copy ip which shows in step 10.2\n Action\tDeny\n Deny status\t403 (Forbidden)\n Priority\t1000\n\n* 11.3, finish the config after select Load balancer backend service for Type, and select http-backend for Target.\n\nstart from step 12\n\n\u003e Test Amor (within its DenyList)\n\n* 12.1, return to ssh of the siege-vm, and test connectivity with LB.\n\n curl http://$LB_IP\n \n [output is 404]\n \n \u003c!doctype html\u003e\u003cmeta charset=\"utf-8\"\u003e\u003cmeta name=viewport content=\"width=device-width, initial-scale=1\"\u003e\u003ctitle\u003e403\u003c/\n title\u003e403 Forbidden\n \n \n siege -c 250 http://$LB_IP\n \n [output: los shows the the traffic is blocked due to security policy]\n \n [alert] Zip encoding disabled; siege requires zlib support to enable it\n ** SIEGE 4.0.2\n ** Preparing 250 concurrent users for battle.\n The server is now under siege...\n \n [to see Log Entry of siege-vm req to LB]\n \n ![log](https://cdn.qwiklabs.com/v8S72ZbDR5t%2BeSvmpwlqEKJS2105mC%2Fq9E%2FW%2FHb3eo0%3D)\n\n* 12.2, test normal browser's connectivity to LB.\n\nOpen a new tab in your browser and navigate to http://[LB_IP_v4]. Make sure to replace [LB_IP_v4] with the IPv4 address of the load balancer.\n\n [output]\n You can access the HTTP LB from your browser because of the default rule to allow traffic; \n however, you cannot access it from the siege-vm because of the deny rule (Amor) that you implemented.\n \n \n # Ref code\n \n 1232\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqueeniecplusplus%2Flb_armor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fqueeniecplusplus%2Flb_armor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fqueeniecplusplus%2Flb_armor/lists"}