HTTP Load Balancer with Cloud Armor

HTTP Load Balancer with Cloud Armor

Objectives

  • Create HTTP and health check firewall rules
  • Configure two instance templates
  • Create two managed instance groups
  • Configure an HTTP Load Balancer with IPv4 and IPv6
  • Stress test an HTTP Load Balancer
  • Denylist an IP address to restrict access to an HTTP Load Balancer

Configure HTTP and health check firewall rules

Create the HTTP firewall rule

  1. In the Cloud Console, navigate to Navigation menu, VPC network > Firewall.
  1. Notice the existing ICMP, internal, RDP, and SSH firewall rules.
  2. Each Google Cloud project starts with the default network and these firewall rules.
  3. Click Create Firewall Rule.
  4. Set the following values, leave all other values at their defaults:

Create the health check firewall rules

  1. Still in the Firewall rules page, click Create Firewall Rule.

Configure instance templates and create instance groups

Configure the instance templates

  1. In the Cloud Console, navigate to Navigation menu, Compute Engine > Instance templates, and then click Create instance template.
  2. For Name, type us-east1-template.
  3. For Series, select N1.
  4. Click Management, security, disks, networking, sole tenancy.
  1. Click on us-east1-template and then click on Create Similar option from the top.
  2. For Name, type europe-west1-template.
  3. Click Management, security, disks, networking, sole tenancy.
  4. Click Networking.
  5. For Subnet, select default (europe-west1).
  6. Click Create.

Create the managed instance groups

  1. Still in Compute Engine, click Instance groups in the left menu.
  1. Click Create instance group.
  2. Set the following values, leave all other values at their defaults:
  1. Click Create Instance group.
  2. Set the following values, leave all other values at their defaults:

Verify the backends

  1. Still in Compute Engine, click VM instances in the left menu.
  2. Notice the instances that start with us-east1-mig and europe-west1-mig. These instances are part of the managed instance groups.
  3. Click on the External IP of an instance of us-east1-mig.

Configure the HTTP Load Balancer

Start the configuration

  1. In the Cloud Console, click Navigation menu, click Network Services > Load balancing, and then click Create load balancer.
  2. Under HTTP(S) Load Balancing, click on Start configuration.

Configure the backend

  1. Click on Backend configuration.
  2. For Backend services & backend buckets, click Create a backend service.
  3. Set the following values, leave all other values at their defaults:

Configure the frontend

  1. Click on Frontend configuration.
  2. Specify the following, leaving all other values at their defaults:

Review and create the HTTP Load Balancer

  1. Click on Review and finalize.

Access the HTTP Load Balancer

Stress test the HTTP Load Balancer

  1. In the Console, navigate to Navigation menu, Compute Engine > VM instances.
  2. Click Create instance.
  3. Set the following values, leave all other values at their defaults:
sudo apt-get -y install siege
export LB_IP=[LB_IP_v4]
siege -c 250 http://$LB_IP
New configuration template added to /home/cloudcurriculumdeveloper/.siege
Run siege -C to view the current settings in that file
[alert] Zip encoding disabled; siege requires zlib support to enable it: No such file or directory
** SIEGE 4.0.2
** Preparing 250 concurrent users for battle.
The server is now under siege...

Denylist the siege-vm

Create the security policy

  1. In the Console, navigate to Navigation menu, Compute Engine > VM instances.
  2. Note the External IP of the siege-vm. This will be referred to as [SIEGE_IP].

Verify the security policy

  1. Return to the SSH terminal of siege-vm.
  2. To access the load balancer, run the following:
curl http://$LB_IP
<!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</
title>403 Forbidden
siege -c 250 http://$LB_IP
[alert] Zip encoding disabled; siege requires zlib support to enable it
** SIEGE 4.0.2
** Preparing 250 concurrent users for battle.
The server is now under siege...

Congratulations!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store