将 Cloud Armor 与 Cloud 运行 一起使用并避免绕过
Use Cloud Armor with Cloud Run and avoid bypass
引用 https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling
While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are certain limitations associated with this capability, especially with Cloud Run (fully managed) and App Engine. Users who have access to the default URLs assigned to these services by Google Cloud can bypass the load balancer and go directly to the service URLs, circumventing any configured Google Cloud Armor security policies.
避免针对云的攻击者绕过 Cloud Armor 的最佳方法是什么 运行 URL (*.run.app
)?
通常我会让 Cloud 运行 只能由服务帐户调用,但 Cloud Load Balancer 不能使用服务帐户调用 Cloud 运行。另一种方法是将 Cloud Load Balancer 配置为在 header 中使用令牌并在 Cloud 运行 中配置应用程序 运行 仅接受具有正确 header/token 的调用,但我更愿意不必在应用程序中执行此操作。
您应该将服务的入口限制为“内部和负载平衡”以禁用来自默认域的访问并且只允许来自 Cloud Armor 的流量:
gcloud beta run services update SERVICE --ingress internal-and-cloud-load-balancing
引用 https://cloud.google.com/load-balancing/docs/https/setting-up-https-serverless#enabling
While Google Cloud Armor can be configured for backend services with Cloud Run (fully managed), Cloud Functions, and App Engine backends, there are certain limitations associated with this capability, especially with Cloud Run (fully managed) and App Engine. Users who have access to the default URLs assigned to these services by Google Cloud can bypass the load balancer and go directly to the service URLs, circumventing any configured Google Cloud Armor security policies.
避免针对云的攻击者绕过 Cloud Armor 的最佳方法是什么 运行 URL (*.run.app
)?
通常我会让 Cloud 运行 只能由服务帐户调用,但 Cloud Load Balancer 不能使用服务帐户调用 Cloud 运行。另一种方法是将 Cloud Load Balancer 配置为在 header 中使用令牌并在 Cloud 运行 中配置应用程序 运行 仅接受具有正确 header/token 的调用,但我更愿意不必在应用程序中执行此操作。
您应该将服务的入口限制为“内部和负载平衡”以禁用来自默认域的访问并且只允许来自 Cloud Armor 的流量:
gcloud beta run services update SERVICE --ingress internal-and-cloud-load-balancing