Set up Load Balancer with Cloud Armor and Identity-Aware Proxy Step-by-Step Guide
This guide has been crafted to assist you in configuring a Load Balancer with Cloud Armor’s security capabilities and Identity Aware Proxy (IAP) for access control, all through the intuitive interface of the Google Cloud Console.
Step 1: Create a Backend Service with Cloud Armor
On the Load balancer page, navigate to the “Backends” tab and click the “Create Backend Service” button to proceed.
In the pop-up that appears, you have the option to create either a global or regional backend service. For this example, we will proceed with creating a global backend service.
The next step is to configure our backend service by opening the configuration prompt.
We won’t delve deeply into the various backend types, but you can learn about them in the backend services overview documentation. Please provide a name and description for your backend.
In this illustrative example, we will employ a serverless network endpoint group (NEG), often referred to as a serverless NEG.
Customize the backend service configuration to align with your specific application requirements. Options include defining the backend type, implementing a cache policy, configuring node affinity, and making other adjustments tailored to your application’s unique needs.
Upon completing the backend configuration, navigate to the Security section, where you’ll establish Cloud Armor. This crucial step involves setting up a Web Application Firewall (WAF) to safeguard your application against malicious activity. Cloud Armor acts as a protective shield, ensuring the security of your application.
Within the Cloud Armor backend security policy, opt for the “None” option. We’ll configure Cloud Armor later in this guide.
Step 2: Create a Load Balancer
The next step to set up the load balancer is to create a load balancer. Navigate to the load balancing page and click on “create load balancer”.
To set up the load balancer, the subsequent step is to create one. To do so, navigate to the load balancing page and select “Create Load Balancer”.
When you access the “create load balancer” page, you will be presented with various configuration options for your load balancer. We will focus on creating a Public facing Application Load Balancer, but you can select the options that best align with your specific use case.
- Step 1: Select the desired load balancer type and click “Next.”
- Step 2: Choose “Public facing (external)” when prompted for public-facing or internal deployment. Then, click “Next.”
- Step 3: Select “Best for global workloads” when asked for global or single region deployment.
- Step 4: Select “Global external Application Load Balancer” for the load balancer generation. This option is recommended by Google Cloud and offers the most versatility.
- Step 5: Review the overview of the load balancer you are creating. Once satisfied, click “Configure” to proceed.
By clicking on this option, a separate window will appear, allowing us to input and specify the necessary details pertaining to our load balancer.
When setting up your load balancer, start by assigning it a unique name. Next, configure the Frontend and Backend settings. Choose your preferred IP version, commonly IPv4, and specify the IP address to use.
In this illustration, we leverage an Ephemeral IP address; however, you have the option to utilize a static IP address as well. This approach is particularly advantageous if you do not employ Cloud DNS.
In a later section of this guide, we will delve into the process of configuring Cloud DNS and employ the Ephemeral address in the process.
Within the backend section, select the backend service that was created during the preceding step.
In the “Routing” section, we will retain the default settings. When we reach the review pages, we will verify that all configurations match our expectations before proceeding with the creation of the load balancer.
When all prerequisites are met, proceed to click on the “Create” button and patiently await the completion of the load balancer creation process.
Step 3: Add an A record in Cloud DNS
To direct our domain to the load balancer effectively, we need to modify the DNS configuration by adding an A record. This A record should specify the IP address of the load balancer, ensuring that traffic is routed appropriately.
To obtain the IP address associated with your recently created load balancer, navigate to the load balancers list for your project. Once there, click on the specific load balancer you just created.
From the load balancer details page, you can access information about your load balancer’s configuration. Locate the load balancer’s IP address and copy it. This IP address will be used later to configure the DNS in Cloud DNS.
Once you have obtained the IP address, such as in this example, proceed to the Cloud DNS portal to configure the DNS settings.
To create a new DNS zone within the cloud DNS portal, initiate the process by clicking on the “Create Zone” button. Subsequently, proceed to fill out the provided form by inputting your desired domain name.
Note: You can register a domain name by using Cloud Domains or another domain registrar of your choice. Cloud Domains lets you manage domains by using the Cloud Domains API.
To create a zone, complete the required fields in the form and click “Create.” You can select any zone name. As for the remaining fields, leave them at their default values.
After creating the DNS zone, the next step is to add an A record that directs traffic to the load balancer’s IP address.
To add a record set to your zone in Cloud DNS, follow these steps:
- Navigate to the Cloud DNS portal.
- Select your desired zone.
- Click on the “Records sets” tab.
- Click on the “Add Standard” button.
To add your load balancer’s IP address to the new menu, click Create after entering it.
With this step completed, your domain will be directed to the load balancer through the DNS configuration.
Step 4: Activate Identity-Aware Proxy (IAP) within the load balancer configuration
To enable Identity-Aware Proxy (IAP) for your load balancer, navigate to the Identity-Aware Proxy panel accessible from the Main Menu under Security > IAP. This panel provides a comprehensive list of your backend services.
To configure Identity-Aware Proxy (IAP) for your backend service, simply click the toggle button.
By clicking on this link, a pop-up will appear. Within the pop-up, you’ll find a checkbox related to the configuration requirements outlined in the provided documentation. Tick the checkbox and then select “Turn On.” Please be patient while the Identity-Aware Proxy (IAP) service is enabled.
Excellent! You have now successfully configured and enabled Identity-Aware Proxy (IAP) for your load balancer.
Step 5: Craft a Cloud Armor Security Policy
From the main menu in the Google Cloud console, navigate to Network Security > Cloud Armor policies. Then, click the “Create policy” button to begin setting up a new policy.
When creating a security policy, you’ll be presented with a basic configuration. The default setting is “Deny All.” Consider reviewing the documentation regarding Google Cloud Armor security policies to gain a deeper understanding of the available options. You can then customize your security policies to align with your specific requirements.
After configuring the rules (in this example, using the default values), you will proceed to the “Apply policy to targets” section.
In the second step of this guide, select the backend service created in the first step. Afterward, click on the “Create Policy” button to proceed.
Congratulations! You have successfully configured a Load Balancer with Cloud Armor and Identity-Aware Proxy (IAP). This setup will provide enhanced security and access control for your applications.
