How to block multiple countries with one expression in google cloud armor?

Question

I can block multiple countries in google cloud armor with below rule.

origin.region_code == "RU" || origin.region_code == "UA"

But it considers this rule to be having 2 expressions so I can block only 5 couontries per rule and will have to add additional rules to block additional countries.

Is there a way (like in_origin_regioncode) where I can provide a comma separated list of all countries I want to block in a single expression?

Answer 1

As you correctly pointed out, and as documented here, the currently custom rule limit is 5. The only workaround available to circumvent this is creating additional custom rules in order to implement additional country blocks.

Answer 2

I have one option that we discover, you can use x.contains(y) function in your cloud armor rule, that function return true if substring y is in string x, so you can use it like this '[CN,KP,LT,UA,RU,AF,DZ,MM,CU,EG,GN,IR,IQ,LR,LY,NE,SL,SO,SS,SD,SY,UA,YE]'.contains(origin.region_code) instead of origin.region_code=='CN'||origin.region_code=='SL' for example, and it works!!!

I hope I've helped :)

Answer 3

In my case I just want to allow ** CL REGION ** traffic, I created a permission rule in advanced mode. Traffic from other regions is blocked.

origin.region_code == 'CL'

Answer 4

The best way that I found is using a regex, something like this:

"origin.region_code.matches('^ES|PT|AD|GI$')"

So you can include all countries as you want.