Checkpoints
Configure a health check firewall rule
/ 10
Create two NAT configurations using Cloud Router
/ 10
Configure an instance template and create instance groups
/ 10
Configure the HTTP Load Balancer
/ 10
Deny the siege-vm
/ 10
Configuring an HTTP Load Balancer with Google Cloud Armor
- Overview
- Setup and requirements
- Task 1. Configure a health check firewall rule
- Task 2. Create two NAT configurations using Cloud Router
- Task 3. Configure an instance template and create instance groups
- Task 4. Configure the HTTP load balancer
- Task 5. Test the HTTP load balancer
- Task 6. Deny the siege-vm
- Congratulations!
- End your lab
Overview
Google Cloud HTTP(S) load balancing is implemented at the edge of Google's network in Google's points of presence (POP) around the world. User traffic directed to an HTTP(S) load balancer enters the POP closest to the user and is then load-balanced over Google's global network to the closest backend that has sufficient capacity available.
Google Cloud Armor IP deny/allow rules enable you to restrict or allow access to your HTTP(S) load balancer at the edge of the Google Cloud, as close as possible to the user and to malicious traffic. This prevents malicious users or traffic from consuming resources or entering your virtual private cloud (VPC) networks.
In this lab, you will configure an HTTP load balancer with global backends, as shown in the diagram below. Then you stress test the load balancer and deny the stress test IP with Google Cloud Armor.
Objectives
In this lab, you will learn how to perform the following tasks:
- Create a health check firewall rule
- Create two regional NAT configurations using Cloud Router
- Configure two instance templates
- Create two managed instance groups
- Configure an HTTP load balancer with IPv4 and IPv6
- Stress test an HTTP load balancer
- Deny an IP address to restrict access to an HTTP load balancer
Setup and requirements
For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.
-
Sign in to Qwiklabs using an incognito window.
-
Note the lab's access time (for example,
1:15:00
), and make sure you can finish within that time.
There is no pause feature. You can restart if needed, but you have to start at the beginning. -
When ready, click Start lab.
-
Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.
-
Click Open Google Console.
-
Click Use another account and copy/paste credentials for this lab into the prompts.
If you use other credentials, you'll receive errors or incur charges. -
Accept the terms and skip the recovery resource page.
Activate Google Cloud Shell
Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.
Google Cloud Shell provides command-line access to your Google Cloud resources.
-
In Cloud console, on the top right toolbar, click the Open Cloud Shell button.
-
Click Continue.
It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
- You can list the active account name with this command:
Output:
Example output:
- You can list the project ID with this command:
Output:
Example output:
Task 1. Configure a health check firewall rule
Health checks determine which instances of a load balancer can receive new connections. For HTTP load balancing, the health check probes to your load-balanced instances come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. Your firewall rules must allow these connections.
Create the health check rule
Create a firewall rule to allow health checks.
-
In the Cloud Console, in the Navigation menu (
), select VPC network > Firewall.
Notice the existing ICMP, internal, RDP, and SSH firewall rules.Each Google Cloud project starts with the default network and these firewall rules.
-
Click Create Firewall Rule.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Name fw-allow-health-checks Network default Targets Specified target tags Target tags allow-health-checks Source filter IPV4 Ranges Source IPV4 ranges 130.211.0.0/22 and 35.191.0.0/16 Protocols and ports Specified protocols and ports
- Select tcp and specify port
80
. - Click Create.
Click Check my progress to verify the objective.
Task 2. Create two NAT configurations using Cloud Router
The Google Cloud VM backend instances that you set up in task 3 will not be configured with external IP addresses.
Instead, you will set up the Cloud NAT service to allow these VM instances to make outbound requests in order to install Apache Web server and PHP when they are launched. You create a Cloud Router for each managed instance group, one in us-central1 and one in the europe-west1 region, which you will configure in the next task.
Create the Cloud Router instance
-
In the Cloud Console, in the Navigation menu (
), select Network services > Cloud NAT.
-
Click Get started.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Gateway name nat-usa Network default Region us-central1 -
Click Cloud Router and select Create new router.
-
For Name, type
nat-router-us-central1
. -
Click Create.
-
In Create a cloud NAT gateway, click Create.
Repeat the same procedure for nat-europe.
-
Click Create Cloud NAT Gateway.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Gateway name nat-europe Network default Region europe-west1 Cloud Router > Create new router Specify the name nat-router-europe-west1
-
Click Create.
-
In Create a NAT gateway, click Create.
Click Check my progress to verify the objective.
Task 3. Configure an instance template and create instance groups
A managed instance group uses an instance template to create a group of identical instances. You will use these to create the backends of the HTTP load balancer.
Configure the instance template
An instance template is an API resource that you can use to create VM instances and managed instance groups. Instance templates define the machine type, boot disk image, subnet, labels, and other instance properties.
-
In the Cloud Console, in the Navigation menu (
), select Compute Engine > Instance templates.
-
Click Create instance template.
-
For Name, type
us-central1-template
. -
Choose Region :
us-central1
-
Click Advanced Options.
-
Click Management.
-
Under Metadata, click + ADD ITEM and specify the following:
Key Value startup-script-url gs://cloud-training/gcpnet/httplb/startup.sh
-
Click Networking.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Network tags allow-health-checks Network interface > Network default Subnetwork default (us-central1) External IP None -
Click DONE.
-
Click Create. Wait for the instance template to be created.
-
Now, prepare to create another instance template by copying us-central1-template. Click the us-central1-template. Information about the us-central1-template appears.
-
Near the top of the page, click CREATE SIMILAR.
-
For Name, type
europe-west1-template
. -
Choose Region :
europe-west1
-
Click Advanced Options.
-
Click Networking > Network interface.
-
Select default (europe-west1) as the Subnetwork, and click DONE.
-
Click Create.
Create the managed instance groups
Create a managed instance group in us-central1 and one in europe-west1.
-
In the Navigation menu, select Compute Engine > Instance groups.
-
Click Create Instance group.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Name us-central1-mig Location Multiple zones Region us-central1 Instance template us-central1-template Autoscaling > Autoscaling signals Click CPU utilization, set Target CPU utilization 80 Initialization period 45 Minimum number of instances 1 Maximum number of instances 5
-
Click Create.
Repeat the same procedure for europe-west1-mig in europe-west1.
-
Click Create Instance group.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Name europe-west1-mig Location Multiple zones Region europe-west1 Instance template europe-west1-template Autoscaling > Autoscaling signals Click CPU utilization, set Target CPU utilization 80 Initialization period 45 Minimum number of instances 1 Maximum number of instances 5 -
Click Create.
Click Check my progress to verify the objective.
Verify the backends
Verify that VM instances are being created in both regions and access their HTTP sites.
-
In the Navigation menu, click Compute Engine > VM instances.
Notice the instances that start with us-central1-mig and europe-west1-mig.These instances are part of the managed instance groups.
-
In Cloud Console, note the name and the zone of the VM instance located in Europe. (You will need to use these values in a moment.)
-
On the Google Cloud Platform menu, click Activate Cloud Shell (
) to open Cloud Shell. If prompted, click Continue.
-
In Cloud Shell, execute this command to execute SSH commands in the VM instance located in Europe:
- If prompted, click Authorize.
- When asked if you want to continue, enter
Y
. - When prompted for a passphrase, press Enter or Return. This will generate an empty passphrase.
- To confirm the empty passphrase, press Enter or Return again. After a moment, Cloud Shell uses IAP tunneling to make an SSH connection to the VM instance in Europe. The Cloud Shell command line can now be used as the VM instance's command line.
- At the command line, enter the following:
You should see the Apache welcome page, which was installed as part of the startup-script-url script that changes the welcome page to include the client IP and the name, region, and zone of the VM instance.
- Copy the internal IP address of an instance located in the us-central region.
- Test the connection by running the following command:
- Enter
exit
to close the SSH session.
Task 4. Configure the HTTP load balancer
Next, you will configure the HTTP load balancer to balance traffic between the two backends (us-central1-mig in us-central1 and europe-west1-mig in europe-west1), as illustrated in the network diagram.
Start the configuration
- In the Navigation menu, select Network Services > Load balancing.
- Click Create load balancer.
- Under Type of load balancer, select Application Load Balancer (HTTP/HTTPS), click Next.
- Under Public facing or internal, select Public facing (external) and click Next.
- Under Global or single region deployment, select Best for global workloads, click Next.
- Under Load balancer generation, select Classic Application Load Balancer, click Next.
- Click Configure.
- For Load Balancer Name, type http-lb.
Configure the backend
Backend services direct incoming traffic to one or more attached backends. Each backend is composed of an instance group and additional serving capacity metadata.
-
Click Backend configuration.
-
For Backend services & backend buckets, click Create a backend service.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (select option as specified) Name http-backend Backend type Instance group Instance group us-central1-mig Port numbers 80 Balancing mode Rate Maximum RPS 50 Capacity 100
-
Click Done.
-
Click Add backend.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (select option as specified) Instance group europe-west1-mig Port numbers 80 Balancing mode Utilization Maximum backend utilization 80 Capacity 100
-
Click Done.
-
For Health Check, select Create a health check.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (select option as specified) Name http-health-check Protocol TCP Port 80
- Click Save.
- Check the Enable Logging box.
- Set the Sample Rate to
1
. - Click Create.
Configure the frontend
The host and path rules determine how your traffic will be directed. For example, you could direct video traffic to one backend and direct static traffic to another backend. However, you are not configuring the host and path rules in this lab.
-
Click Frontend configuration.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Protocol HTTP IP version IPv4 IP address Ephemeral Port 80 -
Click Done.
-
Click Add Frontend IP and port.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Protocol HTTP IP version IPv6 IP address Auto-allocate Port 80 -
Click Done.
Review and create the HTTP load balancer
- Click Review and finalize.
- Review the Backend services and Frontend.
- Click Create.
Wait for the load balancer to be created. - Click on the name of the load balancer (http-lb).
- Note the IPv4 and IPv6 addresses of the load balancer for the next task. They will be referred to as
[LB_IP_v4]
and[LB_IP_v6]
, respectively.
Click Check my progress to verify the objective.
Task 5. Test the HTTP load balancer
Now that you have created the HTTP load balancer for your backends, it is time to verify that traffic is forwarded to the backend service.
Access the HTTP load balancer
- Open a new tab in your browser and navigate to
http://[LB_IP_v4]
. Make sure to replace[LB_IP_v4]
with the IPv4 address of the load balancer.
- If you have a local IPv6 address, try the IPv6 address of the HTTP load balancer by navigating to
http://[LB_IP_v6]
. Make sure to replace[LB_IP_v6]
with the IPv6 address of the load balancer.
Stress test the HTTP load balancer
Next, you will create a new VM to simulate a load on the HTTP load balancer. Then you will determine whether traffic is balanced across both backends when the load is high.
-
In the Cloud Console, in the Navigation menu (
), select Compute Engine > VM instances.
-
Click Create instance.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Name siege-vm Region us-west1 Zone us-west1-c
- Click Create. Wait for the siege-vm instance to be created.
- At the Cloud Shell prompt, enter the following command to create an SSH connection to the siege-vm:
- Run the following command to install siege:
- To store the IPv4 address of the HTTP load balancer in an environment variable, run the following command, replacing
[LB_IP_v4]
with the IPv4 address:
- Verify it with echo:
- To simulate a load, run the following command:
The output should look like this.
Output:
- In the Cloud Console, in the Navigation menu (
), select Network Services > Load balancing.
- Click http-lb.
- Click Monitoring.
- Monitor the Frontend Location (Total inbound traffic) between North America and the two backends for 2 to 3 minutes.
- Return to the SSH terminal of siege-vm.
- Press CTRL+C to stop siege.
Task 6. Deny the siege-vm
You will now use Google Cloud Armor to deny the siege-vm from accessing the HTTP load balancer.
Create the security policy
Create a Google Cloud Armor security policy with a deny rule for the siege-vm.
- In the Cloud Console, in the Navigation menu, select Compute Engine > VM instances.
- Note the External IP of the siege-vm. This will be referred to as
[SIEGE_IP]
.
-
In the Navigation menu, select Network Security > Cloud Armor > Cloud Armor policies.
-
Click Create policy.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Name deny-siege Default rule action Allow -
Click Next step.
-
Click Add rule.
-
Specify the following, and leave the remaining settings as their defaults:
Property Value (type value or select option as specified) Condition > Match Enter the SIEGE_IP Action Deny Deny status 403 (Forbidden) Priority 1000 -
Click Done.
-
Click Next step.
-
Click Add Target.
-
For Type, select Load balancer backend service.
-
For Target, select http-backend.
-
Click Create policy.
Wait for the policy to be created before moving to the next step.
Click Check my progress to verify the objective.
Verify the security policy
Next, you will verify that the siege-vm cannot access the HTTP load balancer.
- Return to the SSH terminal of siege-vm.
- To access the load balancer, run the following:
The output should look like this.
Output:
- Open a new tab in your browser and navigate to
http://[LB_IP_v4]
. Make sure to replace[LB_IP_v4]
with the IPv4 address of the load balancer.
- To simulate a load, run the following command:
The output should look like this.
Output:
Explore the security policy logs to determine whether this traffic is also blocked.
- In the Cloud Console, in the Navigation menu, select Network Security > Cloud Armor > Cloud Armor policies.
- Click deny-siege.
- Click Logs.
- Click View policy logs. Logs Explorer is launched. You should see the logs for the http-lb load balancer.
- Expand a log entry in Query results.
- Expand httpRequest.
The request should be from the siege-vm IP address. If not, expand another log entry.
- Expand jsonPayload.
- Expand enforcedSecurityPolicy.
Notice that the configuredAction is toDENY
with the namedeny-siege
.
Congratulations!
In this lab, you have configured an HTTP load balancer with backends in us-central1 and europe-west1. Then you stress-tested the load balancer with a VM and denied the IP address of that VM with Google Cloud Armor. In addition, you were able to explore the security policy logs to identify why the traffic was blocked.
End your lab
When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.
You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.
The number of stars indicates the following:
- 1 star = Very dissatisfied
- 2 stars = Dissatisfied
- 3 stars = Neutral
- 4 stars = Satisfied
- 5 stars = Very satisfied
You can close the dialog box if you don't want to provide feedback.
For feedback, suggestions, or corrections, please use the Support tab.
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.