Filter IP Range with Firewall on Internal Load Balancer + Cloud Run

156 views Asked by At

was wondering if someone knows how to block the access from a specific IP Range inside a VPC to a Cloud Run instance connected through an Internal Load Balancer (ILB).

My setup is as follows:

  • ILB (Serverless NEG) -> Cloud Run with Internal Ingress

Some examples for what I want to achieve:

  • VM 10.10.10.10 -> ILB -> Cloud Run (Is allowed to access).
  • VM 10.10.20.10 -> ILB -> Cloud Run (It not allowed to access)

I tried firewall rules but it seems the rule doesn't apply to Cloud Run and the ILB simply bypass it (even try with a Deny all rule for 0.0.0.0/0 and nothing happends).

Is this possible?, do I need another service to achieve this?

1

There are 1 answers

1
nickdoesstuff On

To do this, you must combine VPC firewall rules and Cloud Armor rules.

First, you must create a VPC firewall rule to deny traffic from the specific IP range to the ILB.

Once you have created the VPC firewall rule, you must create a Cloud Armor rule to block traffic from the specific IP range.

VPC firewall rule must be created before the Cloud Armor rule.

If you are using a Cloud Run service with internal ingress, you must also ensure that the Cloud Armor security policy is attached to the Cloud Run service.