Cloud Armor to Block Countries

Google Cloud Compute Infrastructure
1

Hello all!

I have a wordpress instance running on compute engine and I want to block certain countries from accessing my website. Can I use something like cloud armor to prevent a region such as Russia or China from accessing my site?

Thank you all!

2 Likes
2

Hello @mio-emat ,Welcome on Google Cloud Community.

Yes. You are correct. You must create Security Policy for that in CEL format. Examples policies could be found here:
https://cloud.google.com/armor/docs/rules-language-reference#expression-examples

Info, how to configure policy: https://cloud.google.com/armor/docs/configure-security-policies


cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

1 Like
3

Hello Damian,

Thanks for sharing the info. I am having an issue when trying to create the security policy. Can you take a look at the screenshot and let me know what to put please?

Thanks!

armor.png
armor.png752×1500 83.6 KB

2 Likes
4

Hi @mio-emat

  1. You must click “ADD A RULE”
  2. Then Condition → Advanced mode ( for block particular region, use this piece of code and change region code
origin.region_code == 'AU'
  1. Add priority ( can be 1000). Priority is evaluated from 0 (highest) to 2,147,483,647 (lowest)
  2. Click DONE
  3. You can apply policy to target now, or create policy and then attach policy to target.

DamianS_0-1720502130799.png
DamianS_0-1720502130799.png608×1037 48.9 KB

DamianS_1-1720502143234.png
DamianS_1-1720502143234.png493×1170 44.1 KB

DamianS_2-1720502158506.png
DamianS_2-1720502158506.png732×551 30.6 KB

Example:
Simple page before policy applied

DamianS_3-1720502266325.png
DamianS_3-1720502266325.png1287×1082 75.6 KB

Simple page with policy blocked PL region

DamianS_4-1720502724715.png
DamianS_4-1720502724715.png735×280 3.79 KB


cheers,
DamianS
LinkedIn medium.com Cloudskillsboost

1 Like
5

Thanks Damian. Quick follow up question: when I try to apply policy to new target, I don’t have any option. What am I doing wrong?

Thanks,

Screenshot 2024-07-09 at 10.52.28 AM.png
Screenshot 2024-07-09 at 10.52.28 AM.png856×430 26.1 KB

2 Likes
6

Yes, because you have to configure Load Balancer. There is no possibility at this moment to attach Cloud Armor policies to VM instances. There is in fact feature request for that, but we don’t have ETA https://issuetracker.google.com/issues/217773056

If you don’t want to utilize Cloud Armor behind Load Balancer, you can use third party DDOS protection tools like CloudFlare.

PS: You should be able to create Managed Instance Groups from existing VM, create Load Balancer ,with a backend and then apply policy.

PS2: Dunno if fastest way would be create MIGs ( Managed Instance Groups ) with wordpress on it and migrate old DB wordpress to new one.

1 Like