Last active
March 6, 2024 22:24
-
-
Save mikesparr/5c6400b90981fe8215f78e15ccd0cfbf to your computer and use it in GitHub Desktop.
Cheat sheet for enabling advanced DDoS protection on Google Cloud
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| ##################################################################### | |
| # REFERENCES | |
| # - https://cloud.google.com/armor/docs/managed-protection-using#gcloud | |
| # - https://cloud.google.com/armor/docs/advanced-network-ddos | |
| # - https://cloud.google.com/armor/docs/configure-adaptive-protection | |
| # - https://cloud.google.com/armor/docs/adaptive-protection-auto-deploy | |
| ##################################################################### | |
| export PROJECT_ID=$(gcloud config get-value project) | |
| export PROJECT_USER=$(gcloud config get-value core/account) # set current user | |
| export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)") | |
| export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain | |
| export GCP_REGION="us-west1" # CHANGEME (OPT) | |
| export GCP_ZONE="us-west1-b" # CHANGEME (OPT) | |
| ############################################################ | |
| # Enable Advanced Network DDoS Protection | |
| ############################################################ | |
| export SECURITY_POLICY_NAME="sec-pol-advanced-ddos" | |
| export SECURITY_SERVICE_NAME="sec-svc-edge" | |
| # subscribe project to Managed Protection Plus Paygo (can take 24 hours) | |
| gcloud compute project-info update \ | |
| --managed-protection-tier CAMP_PLUS_PAYGO \ | |
| --project $PROJECT_ID | |
| # create security policy | |
| gcloud compute security-policies create $SECURITY_POLICY_NAME \ | |
| --type CLOUD_ARMOR_NETWORK \ | |
| --region $GCP_REGION \ | |
| --project $PROJECT_ID | |
| # update new (above) or an existing policy to use advanced network ddos | |
| gcloud compute security-policies update $SECURITY_POLICY_NAME \ | |
| --network-ddos-protection ADVANCED \ | |
| --region $GCP_REGION \ | |
| --project $PROJECT_ID | |
| # create network edge security service that uses the policy | |
| gcloud compute network-edge-security-services create $SECURITY_SERVICE_NAME \ | |
| --security-policy $SECURITY_POLICY_NAME \ | |
| --region $GCP_REGION \ | |
| --project $PROJECT_ID | |
| ############################################################ | |
| # Disable Advanced Network DDoS Protection | |
| # - update or delete (optional) | |
| # - gcloud compute security-policies delete [SECURITY_POLICY_NAME] | |
| # - requires removal from edge first | |
| ############################################################ | |
| # downgrade projection plan | |
| gcloud compute security-policies update $SECURITY_POLICY_NAME \ | |
| --network-ddos-protection STANDARD \ | |
| --region $GCP_REGION \ | |
| --project $PROJECT_ID | |
| # unsubscribe from plus PAYG | |
| gcloud compute project-info update \ | |
| --managed-protection-tier CA_STANDARD \ | |
| --project $PROJECT_ID | |
| ############################################################ | |
| # Cloud Armor Adaptive Protection | |
| ############################################################ | |
| # enable | |
| gcloud compute security-policies update $SECURITY_POLICY_NAME \ | |
| --enable-layer7-ddos-defense \ | |
| --project $PROJECT_ID | |
| # disable | |
| gcloud compute security-policies update $SECURITY_POLICY_NAME \ | |
| --no-enable-layer7-ddos-defense \ | |
| --project $PROJECT_ID |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment