Intrusion prevention service monitors your Google Cloud workload traffic for any malicious activity and takes preemptive actions to prevent it. To enable this service on your network, you must set up multiple Cloud Next Generation Firewall components. This tutorial describes the end-to-end workflow to configure intrusion prevention service in your network.
Objectives
This tutorial shows you how to complete the following tasks:
- Create a Virtual Private Cloud (VPC) network with two subnets.
- Create a server virtual machine (VM) instance in the first subnet of the VPC network and install the Apache server on the VM.
- Create a client VM instance in the second subnet of the VPC network.
- Create a security profile and a security profile group.
- Create a firewall endpoint and associate it with the VPC network.
- Add a global network firewall policy with the following firewall rules:
- A firewall rule to enable Identity-Aware Proxy (IAP) access to the VM instances in the VPC network.
- A firewall rule to direct all ingress traffic for Layer 7 inspection.
- Verify whether malicious traffic to the server VM instance is blocked.
- Clean up the resources.
The following diagram shows the high-level architecture of the deployment setup
in this tutorial. The firewall policy fw-policy-ips
on VPC vpc-ips
, redirects the ingress traffic to the firewall endpoint in zone asia-southeast1-a
. The firewall endpoint endpoint-ips
inspects the traffic
for any threats. If any threat is detected, it applies the preventive actions by
using the directions specified in the security profile sec-profile-ips
.
Costs
There is a cost associated with creating the firewall endpoints. For pricing details, see Cloud Next Generation Firewall pricing .
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project .
-
Make sure that billing is enabled for your Google Cloud project .
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project .
-
Make sure that billing is enabled for your Google Cloud project .
- Enable the Compute Engine API for your project.
- Enable the Network Security API for your project.
- Enable the Identity-Aware Proxy API for your project.
- Have the Compute Network Admin
(
roles/compute.networkAdmin
) IAM role on your organization. - If you prefer to work from the command line, install the Google Cloud CLI.
For conceptual and installation information about the tool, see gcloud CLI overview
.
Note: If you haven't run the gcloud CLI previously, first run
gcloud init
to initialize your gcloud CLI directory.
Create a custom VPC network with subnets
In this section, you create a custom mode VPC network with two IPv4 subnets.
Console
-
In the Google Cloud console, go to the VPC networkspage.
-
Click Create VPC network.
-
For Name, enter
vpc-ips
. -
For Description, enter
VPC network to set up intrusion prevention service
. -
For Subnet creation mode, select Custom.
-
In the New subnetsection, specify the following configuration parameters for a subnet:
- Name:
subnet-ips-server
- Region:
asia-southeast1
- IPv4 range:
10.0.0.0/24
- Name:
-
Click Done.
-
Click Add subnetand specify the following configuration parameters:
- Name:
subnet-ips-client
- Region:
us-central1
- IPv4 range:
192.168.10.0/24
- Name:
-
Click Done.
-
Click Create.
gcloud
-
To create a VPC network, run the following command:
gcloud compute networks create vpc-ips \ --subnet-mode custom \ --description "VPC network to set up intrusion prevention service."
-
In the Authorize cloud shelldialog, click Authorize.
-
To create a subnet, run the following command:
gcloud compute networks subnets create subnet-server-ips \ --network vpc-ips \ --region asia-southeast1 \ --range 10.0.0.0/24
-
To create another subnet, run the following command:
gcloud compute networks subnets create subnet-client-ips \ --network vpc-ips \ --region us-central1 \ --range 192.168.10.0/24
Create VM instances
In this section, you create server and client VM instances.
Create the server VM instance
In this section, you create a VM instance in the subnet subnet-server-ips
and
install the Apache server on it.
Console
-
In the Google Cloud console, go to the Create an instancepage.
-
For Name, enter
vm-server-ips
. -
For Region, select
asia-southeast1 (Singapore)
. -
For Zone, select
asia-southeast1-a
. -
In the Boot disksection, select Change, and then, for the operating system, select Debian.
-
Click Select.
-
Expand Advanced options, and then expand Networking.
-
In the Network interfacessection, specify the following configuration parameters:
- Network:
vpc-ips
- Subnetwork:
subnet-server-ips IPv4 (10.0.0.0/24)
- Network:
-
Click Done.
-
Expand the Managementsection.
-
In the Automationsection, add the following startup script:
#! /bin/bash apt update apt -y install apache2 cat <<EOF > /var/www/html/index.html <html><body><p>Hello world.</p></body></html> EOF
-
Click Create.
-
Make a note of the External IPaddress of the server VM after it is created.
gcloud
To create the server VM, run the following command:
gcloud compute instances create vm-server-ips \ --network vpc-ips \ --zone asia-southeast1-a \ --subnet subnet-server-ips \ --stack-type IPV4_ONLY \ --image-project debian-cloud \ --image-family debian-11 \ --metadata=startup-script='#! /bin/bash apt update apt -y install apache2 cat <<EOF > /var/www/html/index.html <html><body><p>Hello World.</p></body></html> EOF'
Make a note of the external IP address of the VM in the returned status.
Create the client VM instance
In this section, you create a VM instance in the subnet subnet-client-ips
.
Console
-
In the Google Cloud console, go to the Create an instancepage.
-
For Name, enter
vm-client-ips
. -
For Region, select
us-central1
. -
For Zone, select
us-central1-a
. -
Expand Advanced options, and then expand Networking.
-
In the Network interfacessection, specify the following configuration parameters:
- Network:
vpc-ips
- Subnetwork:
subnet-client-ips IPv4 (192.168.10.0/24)
- Network:
-
Click Done.
-
Click Create.
gcloud
To create the client VM, run the following command:
gcloud compute instances create vm-client-ips \ --network vpc-ips \ --zone us-central1-a \ --subnet subnet-client-ips \ --stack-type IPV4_ONLY
Create a security profile
In this section, you create a security profile of type threat-prevention
in
your organization. To view the permissions required to create a security
profile, see Permissions required for this task
.
Console
-
In the Google Cloud console, go to the Security profilespage.
-
In the project selector menu, select your organization.
-
Select the Security profilestab.
-
Click Create profile.
-
For Name, enter
sec-profile-ips
. -
For Description, enter
Security profile to set up intrusion prevention service
. -
Click Continue.
-
Click Create.
gcloud
To create a security profile, run the following command:
gcloud network-security security-profiles \ threat-prevention \ create sec-profile-ips \ --organization ORGANIZATION_ID \ --location global \ --project PROJECT_ID \ --description "Security profile to set up intrusion prevention service."
Replace the following:
-
ORGANIZATION_ID
: the organization where the security profile is created. -
PROJECT_ID
: a project ID to use for quotas and access restrictions on the security profile.
Create a security profile group
In this section, you create a security profile group to include the security profile that you created in the preceding section. To view the permissions required to create a security profile group, see Permissions required for this task .
Console
-
In the Google Cloud console, go to the Security profilespage.
-
In the project selector menu, select your organization.
-
Select the Security profile groupstab.
-
Click Create profile group.
-
For Name, enter
sec-profile-group-ips
. -
For Description, enter
Security profile group to set up intrusion prevention service
. -
In the Threat prevention profilelist, select
sec-profile-ips
. -
Click Create.
gcloud
To create a security profile group, run the following command:
gcloud network-security security-profile-groups \ create sec-profile-group-ips \ --organization ORGANIZATION_ID \ --location global \ --project PROJECT_ID \ --threat-prevention-profile \ organizations/ ORGANIZATION_ID /locations/global/securityProfiles/sec-profile-ips \ --description "Security profile group to set up intrusion prevention service."
Replace the following:
-
ORGANIZATION_ID
: the organization where the security profile group is created. -
PROJECT_ID
: a project ID to use for quotas and access restrictions on the security profile group.
Create a firewall endpoint
In this section you create a firewall endpoint in a specific zone. To view the permissions required to create a firewall endpoint, see Permissions required for this task .
Note: When you create a firewall endpoint, the state of
the firewall endpoint is set to Creating
. After the firewall endpoint is
ready, the state changes to Active
.
Console
-
In the Google Cloud console, go to the Firewall endpointspage.
-
In the project selector menu, select your organization.
-
Click Create.
-
In the Regionlist, select
asia-southeast1 (Singapore)
. -
In the Zonelist, select
asia-southeast1-a
. -
For Name, enter
endpoint-ips
. -
Click Create.
gcloud
To create a firewall endpoint, run the following command:
gcloud network-security firewall-endpoints \ create endpoint-ips \ --organization ORGANIZATION_ID \ --zone asia-southeast1-a \ --billing-project PROJECT_ID
Replace the following:
-
ORGANIZATION_ID
: the organization where the firewall endpoint is created. -
PROJECT_ID
: a project ID to use for the billing of the firewall endpoint.
Create a firewall endpoint association
In this section, you associate the firewall endpoint to the VPC network that you created in the preceding step.
Console
-
In the Google Cloud console, go to the VPC networkspage.
-
Click the
vpc-ips
network to show its VPC network detailspage. -
Select the Firewall endpointtab.
-
Click Add endpoint association.
-
In the Regionlist, select
asia-southeast1
. -
In the Zonelist, select
asia-southeast1-a
. -
In the Firewall endpointlist, select
endpoint-ips
. -
Click Create.
gcloud
To create a firewall endpoint association, run the following command:
gcloud network-security firewall-endpoint-associations \ create endpoint-association-ips \ --endpoint organizations/ ORGANIZATION_ID /locations/asia-southeast1-a/firewallEndpoints/endpoint-ips \ --network vpc-ips \ --zone asia-southeast1-a \ --project PROJECT_ID
Replace the following:
-
ORGANIZATION_ID
: the organization where the firewall endpoint is created. -
PROJECT_ID
: a project ID where the association is created.
Create a global network firewall policy
In this section, you create a global network firewall policy that contains the following two firewall rules:
- An ingress firewall rule with priority
100
to allow TCP traffic to ports3389
and22
. This rule enables IAP access to the VM instances in the VPC network. - An ingress firewall rule with priority
200
to perform Layer 7 inspection on the incoming traffic to the server VM in a specific zone.
Console
-
In the Google Cloud console, go to the Firewall policiespage.
-
In the project selector list, select your project within your organization.
-
Click Create firewall policy.
-
For Name, enter
fw-policy-ips
. -
For Deployment scope, select Global.
-
Click Continue, and then click Add rule.
-
In the Priorityfield, enter
100
. -
For Logs, select On.
-
For Direction of traffic, select Ingress.
-
For Action on match, select Allow.
-
For the Sourcefilter, select IPv4, and then in the IP rangefield enter
35.235.240.0/20
. -
In the Protocols and portssection, select Specified protocols and ports.
-
Select TCP, and for Ports, enter
22,3389
. -
Click Create.
-
Click Add rule.
-
In the Priorityfield, enter
200
. -
For Logs, select On.
-
For Direction of traffic, select Ingress.
-
For Action on match, select Proceed to L7 inspection.
-
In the Security profile grouplist, select
sec-profile-group-ips
. -
In the Destinationfilter, select IPv4, and then in the IP rangefield enter the external IP address of the server VM that you created in the Create the server VM instances section.
-
Click Create.
-
Click Continue.
-
Click Associate policy with VPC networks.
-
Select
vpc-ips
network. -
Click Associate.
-
Click Create.
gcloud
-
To create a global network firewall policy, run the following command:
gcloud compute network-firewall-policies \ create fw-policy-ips \ --global \ --project PROJECT_ID
Replace the following:
-
PROJECT_ID
: a project ID where the global network firewall policy is created.
-
-
To add the firewall rule to enable IAP access, run the following command:
gcloud compute network-firewall-policies rules create 100 \ --firewall-policy fw-policy-ips \ --direction INGRESS \ --action ALLOW \ --src-ip-ranges 35.235.240.0/20 \ --layer4-configs tcp:22, tcp:3389 \ --global-firewall-policy \ --enable-logging
-
To add the firewall rule to enable Layer 7 inspection for threat prevention and detection, run the following command:
gcloud compute network-firewall-policies rules create 200 \ --direction INGRESS \ --firewall-policy fw-policy-ips \ --action apply_security_profile_group \ --dest-ip-ranges SERVER_VM_IP \ --layer4-configs tcp:0-65535 \ --global-firewall-policy \ --security-profile-group \ //networksecurity.googleapis.com/organizations/ ORGANIZATION_ID \ /locations/global/securityProfileGroups/sec-profile-group-ips \ --enable-logging
Replace the following:
-
SERVER_VM_IP
: the external IP address of the server VM that you created in the Create the server VM instances section. -
ORGANIZATION_ID
: the organization where the secure profile group is created.
-
-
To associate the firewall policy with the VPC network, run the following command:
gcloud compute network-firewall-policies associations create \ --firewall-policy fw-policy-ips \ --network vpc-ips \ --name fw-pol-association-ips \ --global-firewall-policy \ --project PROJECT_ID
Replace the following:
-
PROJECT_ID
: the project ID where the VPC association is created.
-
Test the setup
In this section, you generate the traffic that is intercepted by the endpoint, and the global network firewall policy is applied to perform Layer 7 inspection.
Console
-
In the Google Cloud console, go to the VM instancespage.
-
From the External IPcolumn of the
vm-server-ips
VM, copy the external IP address of the VM. -
In the Connectcolumn of the
vm-client-ips
VM, click SSH. -
In the SSH-in-browserdialog, click Authorizeand wait for the connection to establish.
-
To verify whether a non-threat request isn't blocked, run the following command:
curl EXTERNAL_IP -m 2
Replace
EXTERNAL_IP
with the external IP of thevm-server-ips
VM.The expected response message is as follows:
<!doctype html><html><body><h1>Hello World!</h1></body></html>
-
To verify that a malicious request is blocked, run the following command. This command sends a request to access the password file, which is forbidden.
curl -m 2 EXTERNAL_IP :80/cgi-bin/../../../../bin/cat%20/etc/passwd/
Replace
EXTERNAL_IP
with the external IP ofvm-server-ips
VM.A
Connection timed out
message is expected because the firewall endpoint detects the threat in the request and blocks the packet. -
Close the SSH-in-browserdialog.
gcloud
-
To connect to the
vm-client-ips
VM, run the following command:gcloud compute ssh vm-client-ips \ --zone=us-central1-a \ --tunnel-through-iap
When prompted, press Y to confirm, and then press Enter .
-
To verify whether a non-threat request isn't blocked, run the following command:
curl EXTERNAL_IP -m 2
Replace
EXTERNAL_IP
with the external IP of thevm-server-ips
VM.The expected response message is as follows:
<!doctype html><html><body><h1>Hello World!</h1></body></html>
-
To verify that a malicious request is blocked, run the following command:
curl -m 2 EXTERNAL_IP :80/cgi-bin/../../../../bin/cat%20/etc/passwd/
Replace
EXTERNAL_IP
with the external IP of thevm-server-ips
VM.A
Connection timed out
message is expected because the firewall endpoint detects the threat in the request and blocks the packet. -
To close the SSH-in-browser, enter
exit
.
View the threat logs
-
In the Google Cloud console, go to the Threatspage.
-
If necessary, select your Google Cloud project.
-
In the Threatsection, you can see the logs entry for the threat detected on your
vpc-ips
network.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
In this section, you delete the resources created in this tutorial.
Delete the firewall endpoint association
Console
-
In the Google Cloud console, go to the VPC networkspage.
-
Click the
vpc-ips
network to show its VPC network detailspage. -
Select the Firewall endpointtab. The tab shows a list of configured firewall endpoint associations.
-
Select the checkbox next to
endpoint-ips
, and then click Delete. -
Click Deleteagain to confirm.
gcloud
To delete the firewall endpoint association, run the following command: yes,
gcloud network-security firewall-endpoint-association
delete endpoint-ips
--zone asia-southeast1-a
Delete the firewall endpoint
Console
-
In the Google Cloud console, go to the Firewall endpointspage.
-
Select
endpoint-ips
, and then click Delete. -
Click Deleteagain to confirm.
gcloud
To delete the firewall endpoint, run the following commands:
gcloud network-security firewall-endpoints delete endpoint-ips \ --organization ORGANIZATION_ID \ --zone asia-southeast1-a
Replace the following:
-
ORGANIZATION_ID
: the organization where the endpoint is created.
Delete the global network firewall endpoint policy
Console
-
In the Google Cloud console, go to the Firewall policiespage.
-
In the project selector menu, select your project that contains the policy.
-
Click
fw-policy-ips
. -
Click the Associationstab.
-
Select all associations.
-
Click Remove Associations.
-
After all associations are removed, click Delete.
gcloud
-
To remove the association between firewall policy and VPC network, run the following command:
gcloud compute network-firewall-policies associations delete \ --name fw-pol-association-ips \ --firewall-policy fw-policy-ips \ --global-firewall-policy
-
Delete the firewall policy.
gcloud compute network-firewall-policies delete fw-policy-ips --global
When prompted, press Y to confirm, and then press Enter .
Delete the security profile group
Console
-
In the Google Cloud console, go to the Security profilespage.
-
Select the Security profile groupstab.
-
Select
sec-profile-group-ips
, and then click Delete. -
Click Deleteagain to confirm.
gcloud
To delete the security profile group, run the following command:
gcloud network-security security-profile-groups \ delete sec-profile-group-ips \ --organization ORGANIZATION_ID \ --location global
Replace the following:
-
ORGANIZATION_ID
: the organization where the security profile group is created.
Delete the security profile
Console
-
In the Google Cloud console, go to the Security profilespage.
-
Select the Security profilestab. The tab shows a list of configured security profiles.
-
Select
sec-profile-ips
, and then click Delete. -
Click Deleteagain to confirm.
gcloud
To delete the security profile, run the following command:
gcloud network-security security-profiles threat-prevention \ delete sec-profile-ips \ --organization ORGANIZATION_ID \ --location global
Replace the following:
-
ORGANIZATION_ID
: the organization where the security profile is created.
Delete the VMs
Console
-
In the Google Cloud console, go to the VM instancespage.
-
Select the checkboxes of both the
vm-client-ips
andvm-server-ips
VMs. -
Click Delete.
-
In the Delete 2 instances?dialog, click Delete.
gcloud
-
To delete the
vm-client-ips
VM, run the following command:gcloud compute instances delete vm-client-ips \ --zone us-central1-a
When prompted, press Y to confirm, and then press Enter .
-
To delete the
vm-server-ips
VM, run the following command:gcloud compute instances delete vm-server-ips \ --zone asia-southeast1-a
When prompted, press Y to confirm, and then press Enter .
Delete the VPC network and its subnets
Console
-
In the Google Cloud console, go to the VPC networkspage.
-
In the Namecolumn, click
vpc-ips
. -
Click Delete VPC network.
-
In the Delete a networkdialog, click Delete.
When you delete a VPC, its subnets are also deleted.
gcloud
-
To delete the subnet
subnet-ips-client
of thevpc-ips
VPC network, run the following command:gcloud compute networks subnets delete subnet-ips-client \ --region us-central1
When prompted, press Y to confirm, and then press Enter .
-
To delete the subnet
subnet-ips-server
of thevpc-ips
VPC network, run the following command:gcloud compute networks subnets delete subnet-ips-server \ --region=asia-southeast1
When prompted, press Y to confirm, and then press Enter .
-
To delete the
vpc-ips
VPC network, run the following command:gcloud compute networks delete vpc-ips
What's next
- For conceptual information about intrusion prevention service, see Intrusion prevention service overview .
- For conceptual information about firewall policies, see Firewall policies .
- For conceptual information about firewall policy rules, see Firewall policy rules .
- To determine costs, see Cloud NGFW pricing .