Hey,
We enabled the Adaptive Protection on the Cloud Armor with Gateway API. But when we tried to mimic potential attacks to our LB service we cannot see any alerts from Adaptive Protection. While in the logs we can see those requests are given 503 status code and we are not sure if that’s because the Gateway API Controller cannot handle the traffic or the potential attack was actually blocked.
Can you share any idea please? We currently enrolled in the Standard Tier on Cloud Armor.
Thanks.
Hi @Xienan,
For Adaptive Protection Availability & Limitations on Cloud Armor:
Full Adaptive Protection alerts are available only if you subscribe to Google Cloud Armor Enterprise. Otherwise, you receive only a basic alert. A basic alert contains only minimal information, such as a confidence score of the detection and the attack size. A basic alert includes no attack signature or suggested rule for users to deploy.
Basic alerts sent by Adaptive Protection do not include a suggested Google Cloud Armor rule that you can apply. After Adaptive Protection is enabled, there’s a training period of at least one hour before Adaptive Protection develops a reliable baseline and begins monitoring traffic and generating alerts.
It is recommended that you deploy all new rules in preview mode, then examine your request logs. It is much easier to use Cloud Armor and have the policy rules be installed in preview mode. This way you can see your rules in action and decide if they are working as you expect. See Test security policies
By creating/configuring log-based alerts, you will be notified whenever a specific message appears in your included logs. This documentation provides the required steps on how to create log-based alerts.
For security logs, the results will only be seen depending on what is configured in the security policy and whether any traffic triggers it.
If no such traffic is hitting the policy which is supposed to be blocked, you probably won’t see anything, however, if traffic is blocked, it will be recorded in the logs as described in this documentation. Check for the “adaptiveProtection” keyword, which should display Adaptive Protection entries.
If your projects are not already enrolled in Cloud Armor Enterprise, read Using Cloud Armor Enterprise for information about how to enroll.
To know the difference between standard and enterprise, this table summarizes the two service tiers, while you may check here for pricing. See also Google Cloud Armor best practices
And for the 503 error, it typically signifies that the server cannot handle the request due to temporary overload, maintenance, or backend issues. The backend services behind the Load Balancer may be unhealthy, overloaded, or misconfigured. The Adaptive Protection must be enabled for the specific Cloud Armor security policy applied to your Gateway API’s Load Balancer.
If the issue persists, kindly reach out to Google Cloud Support for further assistance.
Hi @diannemcm,
Thanks for you reply!
Currently we would like to see the effect of Adaptive Protection. After waiting for training period we tried to hit our backend with malicious traffic. And this backend was protected by Adaptive Protection enabled in the security policy, while our backend was down again with overload traffic. And we did not see any alert coming from Adaptive Protection dashboard or related logs, which means this protection was not detecting these malicious traffic.
Can you share any idea about how we can ensure the protection is working properly?
Thanks