HTTP Load Balancer with Cloud Armor

HTTP Load Balancer with Cloud Armor

Objectives

In this article, you learn how to perform the following tasks:

• Create HTTP and health check firewall rules
• Configure two instance templates
• Create two managed instance groups
• Configure an HTTP Load Balancer with IPv4 and IPv6
• Stress test an HTTP Load Balancer
• Denylist an IP address to restrict access to an HTTP Load Balancer

Configure HTTP and health check firewall rules

Configure firewall rules to allow HTTP traffic to the backends and TCP traffic from the Google Cloud health checker.

Create the HTTP firewall rule

Create a firewall rule to allow HTTP traffic to the backends.

1. In the Cloud Console, navigate to Navigation menu, VPC network > Firewall.

1. Notice the existing ICMP, internal, RDP, and SSH firewall rules.
2. Each Google Cloud project starts with the default network and these firewall rules.
3. Click Create Firewall Rule.
4. Set the following values, leave all other values at their defaults:

Make sure to include the /0 in the Source IP ranges to specify all networks.

5. Click Create.

Create the health check firewall rules

Health checks determine which instances of a load balancer can receive new connections. For HTTP load balancing, the health check probes to your load balanced instances come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. Your firewall rules must allow these connections.

1. Still in the Firewall rules page, click Create Firewall Rule.

2. Set the following values, leave all other values at their defaults:

Make sure to enter the two Source IP ranges one-by-one and pressing SPACE in between them.

3. Click Create.

Configure instance templates and create instance groups

A managed instance group uses an instance template to create a group of identical instances. Use these to create the backends of the HTTP Load Balancer.

Configure the instance templates

An instance template is an API resource that you use to create VM instances and managed instance groups. Instance templates define the machine type, boot disk image, subnet, labels, and other instance properties. Create one instance template for us-east1 and one for europe-west1.

1. In the Cloud Console, navigate to Navigation menu, Compute Engine > Instance templates, and then click Create instance template.
2. For Name, type us-east1-template.
3. For Series, select N1.
4. Click Management, security, disks, networking, sole tenancy.

5. Click the Management tab.

6. Under Metadata, specify the following:

The startup-script-url specifies a script that executes when instances are started. This script installs Apache and changes the welcome page to include the client IP and the name, region, and zone of the VM instance. Feel free to explore this script here.

7. Click Networking.

8. Set the following values and leave all other values at their defaults:

The network tag http-server ensures that the HTTP and Health Check firewall rules apply to these instances.

9. Click Create.

10. Wait for the instance template to be created.

Now create another instance template for subnet-b by copying us-east1-template:

1. Click on us-east1-template and then click on Create Similar option from the top.
2. For Name, type europe-west1-template.
3. Click Management, security, disks, networking, sole tenancy.
4. Click Networking.
5. For Subnet, select default (europe-west1).
6. Click Create.

Create the managed instance groups

Create a managed instance group in us-east1 and one in europe-west1.

1. Still in Compute Engine, click Instance groups in the left menu.

1. Click Create instance group.
2. Set the following values, leave all other values at their defaults:

Managed instance groups offer autoscaling capabilities that allow you to automatically add or remove instances from a managed instance group based on increases or decreases in load. Autoscaling helps your applications gracefully handle increases in traffic and reduces cost when the need for resources is lower. You just define the autoscaling policy and the autoscaler performs automatic scaling based on the measured load.

3. Click Create.

Now repeat the same procedure for create a second instance group for europe-west1-mig in europe-west1:

1. Click Create Instance group.
2. Set the following values, leave all other values at their defaults:

3. Click Create.

Verify the backends

Verify that VM instances are being created in both regions and access their HTTP sites.

1. Still in Compute Engine, click VM instances in the left menu.
2. Notice the instances that start with us-east1-mig and europe-west1-mig. These instances are part of the managed instance groups.
3. Click on the External IP of an instance of us-east1-mig.

You should see the Client IP (your IP address), the Hostname (starts with us-east1-mig) and the Server Location (a zone in us-east1).

4. Click on the External IP of an instance of europe-west1-mig.

You should see the Client IP (your IP address), the Hostname (starts with europe-west1-mig) and the Server Location (a zone in europe-west1).

Configure the HTTP Load Balancer

Configure the HTTP Load Balancer to balance traffic between the two backends (us-east1-mig in us-east1 and europe-west1-mig in europe-west1), as illustrated in the network diagram:

Start the configuration

1. In the Cloud Console, click Navigation menu, click Network Services > Load balancing, and then click Create load balancer.
2. Under HTTP(S) Load Balancing, click on Start configuration.

3. Select From Internet to my VMs, and click Continue.

4. Set the Name to http-lb.

Configure the backend

Backend services direct incoming traffic to one or more attached backends. Each backend is composed of an instance group and additional serving capacity metadata.

1. Click on Backend configuration.
2. For Backend services & backend buckets, click Create a backend service.
3. Set the following values, leave all other values at their defaults:

This configuration means that the load balancer attempts to keep each instance of us-east1-mig at or below 50 requests per second (RPS).

4. Click Done.

5. Click Add backend.

6. Set the following values, leave all other values at their defaults:

This configuration means that the load balancer attempts to keep each instance of europe-west1-mig at or below 80% CPU utilization.

7. Click Done.

8. For Health Check, select Create a health check.

9. Set the following values, leave all other values at their defaults:

Health checks determine which instances receive new connections. This HTTP health check polls instances every 5 seconds, waits up to 5 seconds for a response and treats 2 successful or 2 failed attempts as healthy or unhealthy, respectively.

10. Click Save.

11. Check the Enable Logging box.

12. Set the Sample Rate to 1:

13. Click Create to create the backend service.

Configure the frontend

The host and path rules determine how your traffic will be directed. For example, you could direct video traffic to one backend and static traffic do another backend. However, you are not configuring the Host and path rules in this lab.

1. Click on Frontend configuration.
2. Specify the following, leaving all other values at their defaults:

3. Click Done.

4. Click Add Frontend IP and port.

5. Specify the following, leaving all other values at their defaults:

6. Click Done.

HTTP(S) load balancing supports both IPv4 and IPv6 addresses for client traffic. Client IPv6 requests are terminated at the global load balancing layer, then proxied over IPv4 to your backends.

Review and create the HTTP Load Balancer

1. Click on Review and finalize.

2. Review the Backend services and Frontend.

3. Click on Create.

4. Wait for the load balancer to be created.

5. Click on the name of the load balancer (http-lb).

6. Note the IPv4 and IPv6 addresses of the load balancer for the next task. They will be referred to as [LB_IP_v4] and [LB_IP_v6], respectively.

The IPv6 address is the one in hexadecimal format.

Access the HTTP Load Balancer

To test IPv4 access to the HTTP Load Balancer, open a new tab in your browser and navigate to http://[LB_IP_v4]. Make sure to replace [LB_IP_v4] with the IPv4 address of the load balancer.

It might take up to 5 minutes to access the HTTP Load Balancer. In the meantime, you might get a 404 or 502 error. Keep trying until you see the page of one of the backends. Depending on your proximity to us-east1 and europe-west1, you traffic is either forwarded to a us-east1-mig or europe-west1-mig instance.

If you have a local IPv6 address, try the IPv6 address of the HTTP Load Balancer by navigating to http://[LB_IP_v6]. Make sure to replace [LB_IP_v6] with the IPv6 address of the load balancer.

Stress test the HTTP Load Balancer

Create a new VM to simulate a load on the HTTP Load Balancer using siege. Then, determine if traffic is balanced across both backends when the load is high.

1. In the Console, navigate to Navigation menu, Compute Engine > VM instances.
2. Click Create instance.
3. Set the following values, leave all other values at their defaults:

Given that us-west1 is closer to us-east1 than to europe-west1, traffic should be forwarded only to us-east1-mig (unless the load is too high).

4. Click Create.

5. Wait for the siege-vm instance to be created.

6. For siege-vm, click SSH to launch a terminal and connect.

7. Run the following command, to install siege:

sudo apt-get -y install siege

8. To store the IPv4 address of the HTTP Load Balancer in an environment variable, run the following command, replacing [LB_IP_v4] with the IPv4 address:

export LB_IP=[LB_IP_v4]

9. To simulate a load, run the following command:

siege -c 250 http://$LB_IP

The output should look like this (do not copy; this is example output):

New configuration template added to /home/cloudcurriculumdeveloper/.siege
Run siege -C to view the current settings in that file
[alert] Zip encoding disabled; siege requires zlib support to enable it: No such file or directory
** SIEGE 4.0.2
** Preparing 250 concurrent users for battle.
The server is now under siege...

10. In the Cloud Console, on the Navigation menu, click Network Services > Load balancing.

11. Click Backends.

12. Click http-backend.

13. Monitor the Frontend Location (Total inbound traffic) between North America and the two backends for 2 to 3 minutes.

At first, traffic should just be directed to us-east1-mig but as the RPS increases, traffic is also directed to europe-west1-mig.

This demonstrates that by default traffic is forwarded to the closest backend but if the load is very high, traffic can be distributed across the backends.

14. Return to the SSH terminal of siege-vm.

15. Press CTRL+C to stop siege.

Denylist the siege-vm

Use Cloud Armor to denylist the siege-vm from accessing the HTTP Load Balancer.

Create the security policy

Create a Cloud Armor security policy with a denylist rule for the siege-vm.

1. In the Console, navigate to Navigation menu, Compute Engine > VM instances.
2. Note the External IP of the siege-vm. This will be referred to as [SIEGE_IP].

There are ways to identify the external IP address of a client trying to access your HTTP Load Balancer. For example, you could examine traffic captured by VPC Flow Logs in BigQuery to determine a high volume of incoming requests.

3. In the Cloud Console, navigate to Navigation menu > Network Security > Cloud Armor.

4. Click Create policy.

5. Set the following values, leave all other values at their defaults:

6. Click Next step.

7. Click Add rule.

8. Set the following values, leave all other values at their defaults:

9. Click Done.

10. Click Next step.

11. Click Add Target.

12. For Type, select Load balancer backend service.

13. For Target, select http-backend.

14. Click Create policy.

Alternatively, you could set the default rule to Deny and only allowlist/allow traffic from authorized users/IP addresses.

15. Wait for the policy to be created before moving to the next step.

Verify the security policy

Verify that the siege-vm cannot access the HTTP Load Balancer.

1. Return to the SSH terminal of siege-vm.
2. To access the load balancer, run the following:

curl http://$LB_IP

The output should look like this (do not copy; this is example output):

<!doctype html><meta charset="utf-8"><meta name=viewport content="width=device-width, initial-scale=1"><title>403</
title>403 Forbidden

It might take a couple of minutes for the security policy to take affect. If you are able to access the backends, keep trying until you get the 403 Forbidden error.

3. Open a new tab in your browser and navigate to http://[LB_IP_v4]. Make sure to replace [LB_IP_v4] with the IPv4 address of the load balancer.

You can access the HTTP Load Balancer from your browser because of the default rule to allow traffic; however, you cannot access it from the siege-vm because of the deny rule that you implemented.

4. Back in the SSH terminal of siege-vm, to simulate a load, run the following command:

siege -c 250 http://$LB_IP

The output should look like this (do not copy; this is example output):

[alert] Zip encoding disabled; siege requires zlib support to enable it
** SIEGE 4.0.2
** Preparing 250 concurrent users for battle.
The server is now under siege...

Explore the security policy logs to determine if this traffic is also blocked.

5. In the Console, navigate to Navigation menu > Network Security > Cloud Armor.

6. Click denylist-siege.

7. Click Logs.

8. Click View policy logs.

9. On the Logging page, make sure to clear all the text in the Query preview. Select resource to Cloud HTTP Load Balancer > http-lb-forwarding-rule > http-lb then click Add.

10. Now click Run Query.

11. Expand a log entry in Query results.

12. Expand httpRequest.

The request should be from the siege-vm IP address. If not, expand another log entry.

13. Expand jsonPayload.

14. Expand enforcedSecurityPolicy.

14. Notice that the configuredAction is to DENY with the name denylist-siege.

Cloud Armor security policies create logs that can be explored to determine when traffic is denied and when it is allowed, along with the source of the traffic.

Congratulations!

You configured an HTTP Load Balancer with backends in us-east1 and europe-west1. Then, you stress tested the Load Balancer with a VM and denylisted the IP address of that VM with Cloud Armor. You were able to explore the security policy logs to identify why the traffic was blocked.