Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru

Protecting Google Cloud VPC Resources with Cloud Armor

This lab will guide you through the process of creating a Cloud Armor policy, which will be used to protect against a simulated distributed denial-of-service (DDoS) attack.


Path Info

Clock icon Intermediate
Clock icon 45m
Clock icon Nov 08, 2019

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Set Up Your Load Balanced Application

    • Open Cloud Shell.

    • Enter the following command to download and run a script that will automatically build your load balanced application, along with the ddos-attack instance:

      wget && source

    • After waiting about 5 minutes, access the frontend IP address (provided at end of script) to access the load balanced application's webpage.

    • Be sure to copy/paste the frontend IP address (or write it down) as you will need to refer to it later.

  2. Challenge

    Begin Simulated DDoS Attack

    • In the web console, select Compute Engine from the top-left menu.

    • SSH into the ddos-attack instance.

    • Enter the following command to open 1000 concurrent connections to the application, substituting your frontend IP address for <YOUR_FRONTEND_IP>:

      ab -n 10000000 -c 1000 http://<YOUR_FRONTEND_IP>/

    • Once the command has run, wait a few minutes for your ddos-attack instance to generate traffic and create metrics, and then return to the web console.

  3. Challenge

    View Load Balancer Backend Traffic

    • Go to your load balancer page by selecting Network Services > Load Balancing in the top-left menu.
    • Select the BACKENDS tab.
    • Select http-backend.
    • You should be able to view the metrics for the backend traffic distribution. If you refresh your page every few minutes, the backend distribution will shift between regions as one region becomes overwhelmed, causing the load balancer to redistribute traffic to the other region.
  4. Challenge

    Create a Cloud Armor Policy to Deny Traffic from the 'ddos-attack' Instance

    • In Compute Engine, copy the external IP address of the ddos-attack instance.
    • In the web console, select Network Security > Cloud Armor in the top-left menu.
    • Create a policy named block-ddos.
    • Set the Default rule action to Allow.
    • Click NEXT STEP.
    • Click ADD RULE.
    • In the Match field, paste the external IP address of the ddos-attack instance.
    • Set Action to Deny.
    • Set Deny status to 403 (Forbidden).
    • Set Priority to 1000.
    • Click DONE.
    • Click NEXT STEP.
    • Click ADD TARGET.
    • Under Type, select Load balancer backend service (should be the default).
    • Under Target, select http-backend.
    • Click CREATE POLICY.
  5. Challenge

    View Logs and Results

    • Wait a few minutes for new logs to generate.
    • In the Cloud Armor menu, select your block-ddos policy.
    • Select the LOGS tab.
    • Click View policy logs, which should open Stackdriver Logging for your Cloud HTTP Load Balancer requests.
    • Click the Jump to now button to jump to the latest records.
    • Expand a recent record (should be in an error state), then click theExpand nested fields button.
    • Confirm that the logged external IP matches the ddos-attack instance.
    • Under the field jsonPayload, there should be a sub-field for enforcedSecurityPolicy. If you do not see this field, wait a few more minutes, then click Jump to now again to jump to the latest records.
    • View the enforcedSecurityPolicy field. It should provide confirmation that the traffic request from your instance was denied due to the block-ddos policy.
    • Go back to your load balancer backend and confirm that traffic requests have been reduced.

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans