This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Geo-blocking Apigee with Cloud Armor

on ‎12-28-2022 05:46 PM

epbgonzalez
Staff
0 0 821

In this tutorial I will show you how to prevent users from certain countries from accessing your APIs. This is all possible thanks to GCP’s global load balancing infrastructure and Cloud Armor. 

When it comes to security, a layered approach is always recommended. Adding a WAF like Cloud Armor in front of Apigee is highly recommended.

If you are serving customers only in a certain region of the world, it’s  usually a best practice to block users from other countries. This alone won’t prevent malicious actors from calling your APIs, if they are really targeting you, since it’s relatively easy to get a different IP address. Bad actors can use a tor node, a proxy or a VPN tunnel in another country, however it effectively reduces your attack surface, and prevents you from bot scrapers in certain countries, making it a little bit more difficult for attackers.

Here’s a diagram of the architecture and the different components involved:

 

epbgonzalez_1-1672277189607.png

For the purpose of this article, I will mostly focus on the Cloud Armor configuration and  I will assume you have deployed Apigee X for external access with a MIG. You can follow the steps described in the official documentation for the different external routing configurations. The Cloud Armor piece should be the same.

Once you have created the MIG here are the next steps at a high level:

  1. Create an SSL certificate and key for the load balancer
  2. Create a health check
  3. Create the backend service for Apigee
  4. Add the MIG to your backend service
  5. Create an URL Map
  6. Create a target HTTPS proxy
  7. Reserve an IP
  8. Create a global forwarding rule

If you followed the previous steps, now Apigee should be available globally to everyone. Let’s focus now on the Cloud Armor configuration. In order to do so, you will need to follow these steps:

1. Create a cloud armor security policy:

gcloud compute security-policies create apigee-geoblocking-policy \
--description "policy for Apigee users only in the US"

2. Update the default rules to the security policies to deny traffic:

gcloud compute security-policies rules update 2147483647 \
    --security-policy apigee-geoblocking-policy \
    --action "deny-403"

3. Add a rule to the security policy. We will create a security rule in CA that allows traffic from a certain region. In my case the country code is 'US' following the ISO 3166 country code, but feel free to use your own country code. 

gcloud compute security-policies rules create 100 \
    --security-policy apigee-geoblocking-policy \
    --expression "origin.region_code=='US'" \
    --action "allow"

4. Attach the security policy to the Apigee backend service:

gcloud compute backend-services update {​​PROXY_BACKEND_NAME} \
    --security-policy apigee-geoblocking-policy --global

Allow a few minutes for the rules to propagate in Cloud Armor. Once the rules have been applied you can test the setup by using curl to call your API proxy from a VM in a region outside of the US. You should receive a status 403 response from Cloud Armor from any clients outside of the US. 

I hope you found this article helpful.

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎12-28-2022 05:46 PM
Updated by: