Securing the stream: Elevating media delivery with Google Network Threat Intelligence and ASN Filtering

At Google Cloud, we built Media CDN on a simple premise: to give our customers access to the same massive-scale infrastructure that powers YouTube. Whether you are delivering live sporting events to millions of concurrent viewers, distributing 100GB game downloads, or streaming 4K VOD libraries, Media CDN offers the global reach and throughput required for the modern internet.

But in the media industry, delivery is only half the battle. The other half is protection.

Content piracy, unauthorized scraping, and geo-licensing circumvention are constant challenges. To address these, we have long integrated Google Cloud Armor edge security policies directly into Media CDN. Today, I am excited to announce that we are deepening this integration. Media CDN now supports Google Network Threat Intelligence (NTI) and Autonomous System Number (ASN) matching in edge security policies.

Here is how these new capabilities change the game for media workloads.

The foundation: How Media CDN customers secure content today

Since launch, Media CDN customers have used Cloud Armor edge security policies to enforce essential access controls. We know that media traffic is different from standard web traffic—it is high-volume, long-duration, and rights-managed.

Historically, our customers have relied on three core pillars:

1. Geo-blocking: Using Region Codes (e.g., origin.region_code == ‘AU’) to ensure content is only served to countries where valid licensing rights exist.

2. IP Enforcement: Using Allow/Denylists (CIDR blocks) to restrict access to corporate offices or block known bad actors.

3. Header Filtering: Validating specific User-Agent or Referer headers to ensure requests originate from authorized players and devices.

While these tools are powerful, the threat landscape has evolved. Attackers now may utilize “rotating” residential proxies and hide behind legitimate cloud infrastructure to evade your security rules.

To stay ahead, media security needs to be dynamic and network-aware. That is where NTI and ASN support come in.

What’s new: Network intelligence at the edge

With the introduction of Google Network Threat Intelligence and ASN filtering, Media CDN customers can now move from reactive “whack-a-mole” list management to proactive, intelligence-led defense.

1. Google Network Threat Intelligence (NTI): Curated, dynamic protection

Maintaining lists of malicious IPs manually is operational toil. With NTI, you can leverage the same threat intelligence that protects Google properties (like Search, Gmail, and YouTube).

For Media CDN specifically, we recommend leveraging specific NTI feeds that target the unique behaviors of content theft:

• Stop known attackers (iplist-known-malicious-ips): These IPs are confirmed sources of malicious activity, such as SQL injection or exploits. Blocking them at the edge is a proactive step that keeps your traffic clean and reduces the risk of an incident.

• Block “public Cloud” traffic (iplist-public-clouds): Real human users usually watch movies from residential ISPs (like Comcast, Verizon, or Jio), not from public Cloud’s VMs. Blocking this fee stops traffic originating from public cloud IP ranges.

• Stop geo-circumvention (iplist-anon-proxies & iplist-tor-exit-nodes): Users attempting to bypass your geo-restrictions often use anonymous proxies. NTI updates these lists in real-time, helping you enforce your territorial licensing agreements more effectively than static lists ever could.

• Reduce egress costs: Every byte served to a botnet or crypto-miner (iplist-crypto-miners) is wasted money. By blocking these known malicious actors at the edge—before the cache is even hit—you protect your origin infrastructure and reduce unnecessary egress spend.

2. ASN Filtering: The network-level control

Sometimes, blocking IPs isn’t enough. You need to block the network responsible for the traffic. We now support filtering by Autonomous System Number (ASN).

This provides a “cleaner” way to manage broad security rules:

• The “bad neighborhood” problem: If a specific hosting provider allows piracy sites to host on their network, blocking their IPs one by one is inefficient. With ASN filtering, you can block the provider’s entire ASN (e.g., origin.asn == 12345), preventing them from simply rotating IPs to evade your blocks.

• ISP-specific licensing: In complex media rights deals, you might have exclusive rights to stream content on specific ISPs while being restricted on others within the same country. ASN filtering allows you to implement this granular logic precisely, allowing traffic from ISP A while blocking ISP B, without affecting the rest of the country.

Putting it together

By combining these new capabilities, Media CDN customers can create robust, layered security policies.

For example, a streaming platform can now configure a single Cloud Armor policy that:

1. Allows legitimate users from a specific country (Geo-targeting).

2. Blocks traffic from known public cloud providers (NTI) to stop scrapers.

3. Blocks a specific ASN known for hosting VPNs (ASN filtering).

4. Allows search engine crawlers (NTI) to ensure content remains discoverable for SEO.

#!/bin/bash

POLICY_NAME="edge-policy-geo-nti-asn"
PROJECT_ID=$(gcloud config get-value project)

# 1. Create the Edge Policy
gcloud compute security-policies create $POLICY_NAME \
    --project=$PROJECT_ID \
    --type=CLOUD_ARMOR_EDGE \
    --description="Geo-targeting with NTI and ASN filtering"

# 2. Set Default Rule to DENY (Enforce Geo-targeting)
# By default, we block everyone. We will open up access in later rules.
gcloud compute security-policies rules update 2147483647 \
    --security-policy=$POLICY_NAME \
    --action="deny-403" \
    --description="Default deny all"

# 3. PRIORITY 1000: Allow Search Engines (NTI)
# Must be first so Google/Bing bots aren't blocked by Cloud/ASN/Geo rules.
gcloud compute security-policies rules create 1000 \
    --security-policy=$POLICY_NAME \
    --expression="evaluateThreatIntelligence('iplist-search-engines-crawlers')" \
    --action="allow" \
    --description="Allow Search Engine Crawlers"

# 4. PRIORITY 2000: Block Specific ASN (ASN Filtering)
# Example: Blocking ASN 12345 (e.g., a known VPN/Hosting provider).
gcloud compute security-policies rules create 2000 \
    --security-policy=$POLICY_NAME \
    --expression="origin.asn == 12345" \
    --action="deny-403" \
    --description="Block Specific VPN ASN"

# 5. PRIORITY 3000: Block Public Clouds (NTI)
# Stops scrapers running on AWS/Azure/GCP, even if they are in the allowed country.
gcloud compute security-policies rules create 3000 \
    --security-policy=$POLICY_NAME \
    --expression="evaluateThreatIntelligence('iplist-public-clouds')" \
    --action="deny-403" \
    --description="Block Public Cloud Traffic"

# 6. PRIORITY 4000: Allow Specific Country (Geo-targeting)
# Finally, if they aren't a crawler, a bad ASN, or a public cloud, 
# allow them if they are in the target country (e.g., 'US').
gcloud compute security-policies rules create 4000 \
    --security-policy=$POLICY_NAME \
    --expression="origin.region_code == 'US'" \
    --action="allow" \
    --description="Allow legitimate US traffic"

echo "Policy $POLICY_NAME created successfully."

Get started

Cloud Armor’s NTI and ASN features are available to help you secure your Media CDN content delivery. NTI is available with Cloud Armor Enterprise. Check out our documentation to learn more about configuring security policies for your Media CDN services and ensure you are delivering content only to your intended audience.