Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring. You can use monitoring metrics to check whether your policies are working as intended or to troubleshoot problems. For example, you can view the traffic that was blocked or allowed for each backend service. You can monitor the metrics of a single security policy (which can be applied to multiple backend services) or a single backend service.
In addition to the predefined dashboards in Monitoring, you can create custom dashboards, set up alert policies, and query the metrics through the Cloud Monitoring API.
Google Cloud Armor per-request logs for security policy name, match rule priority, associated action, and related information are logged as part of logging for HTTP(S) Load Balancing, External TCP Proxy Load Balancing, and External SSL Proxy Load Balancing. Logging for new backend services is disabled by default, so you must enable logging to record complete logging information for Google Cloud Armor.
Because Google Cloud Armor logs are part of the Cloud Load Balancing logs, Google Cloud Armor log generation is subject to the log sampling rate configured for your load balancer. If you reduce the sampling rate for your HTTP(S) Load Balancing, External TCP Proxy Load Balancing, or External SSL Proxy Load Balancing, your Google Cloud Armor requests logs are sampled at that reduced rate.
From your Cloud Armor logs, you are able to create a dashboard in Looker Studio similar to the below.
Using logging, you can view every request evaluated by a Google Cloud Armor security policy and the outcome or action taken. For example, to view denied requests, you can use filters such as
jsonPayload.enforcedSecurityPolicy.outcome="DENY"
or
jsonPayload.statusDetails="denied_by_security_policy"
This article describes how to create rich visualization dashboards from logs generated by Cloud Armor. ( as mentioned above, Google Cloud Armor logs are part of the Cloud Load Balancing logs)
It will show the various GCP services involved in setting this up in a quick and easy manner.
The following services will need to be configured as a base for this blogpost
The following services will be configured as part of this tutorial or blogpost
In this step, we need to tell GCP to dump the specific log which contains the Cloud Armor Policy Rule execution into a Big Query Table
b) Click on "Create Sink" ( as shown below)and Enter the required details
“Sink Name” such as Cloud-Armor-Logs-to-BQ and also give a description of the sink
Click Next and in the "Select sink service" dropdown select "BigQuery Dataset"
And select "Create new BigQuery dataset" if you have not created one already.
Put in your dataset ID and also set Data Location to your preferred Data location. and click on Create DATASET
After this is created Choose logs to include in the sink by typing the query from Cloud Logging for the Cloud Armor Logs ( You can get this easily by clicking on the View Policy Logs link in Cloud Armor, which will automatically redirect you to Cloud Logging and show you the query in the Logs Explorer) and logs to filter out of the sink
Now all future “http_load_balancer” logs will get stored in BigQuery under the new dataset you requested. The table with your data will be called “requests”
You can create Looker Studio reports in the following ways:
In this tutorial, we will cover creating a new blank report.
A table will appear with fields from the BigQuery data source. In the top left, name your report by clicking Untitled Report and then entering a new name. You can use the properties panel on the right to add data to your report.
Select the types of Charts you wish to create, table, bar, pie charts, etc
As an example, to create a Table as shown below
At the top of the report -
From the chart menu on the right, select the following as dimensions to be added into the table horizontally
You can choose to leave the record count metric if you desire.
To create a bar chart such as the one shown above, use the following steps.
At the top of the report,