How to Block Chinese IP Traffic on Google Compute Engine to Reduce Ingress Costs


2 views

Many GCE users in North America face excessive ingress traffic from Chinese IP ranges, particularly on unusual ports like 11. These unsolicited connections consume bandwidth and increase costs, even when regional firewalls are in place.

The most efficient approach combines multiple Google Cloud networking features:

# Create a network tag for targeted rules
gcloud compute firewall-rules create block-china-ingress \
    --direction=INGRESS \
    --priority=1000 \
    --network=default \
    --action=DENY \
    --rules=tcp:11,udp:11 \
    --source-ranges=1.0.1.0/24,1.0.2.0/23,1.0.8.0/21,1.0.32.0/19 \
    --target-tags=protected-instances \
    --description="Blocks Chinese IP ranges on port 11"

For comprehensive protection, implement Cloud Armor security policies:

# Create a security policy
gcloud compute security-policies create china-ip-blocker \
    --description "Block Chinese IP ranges"

# Add rules for mainland China ASNs
gcloud compute security-policies rules create 1000 \
    --security-policy china-ip-blocker \
    --expression "origin.region_code == 'CN'" \
    --action "deny-403" \
    --description "Block all China traffic"

Combine hierarchical firewall rules with network tags for precise control:

# Hierarchical rule at organization level
gcloud compute firewall-policies create ORG_CHINA_BLOCK \
    --organization=123456789012

gcloud compute firewall-policies rules create 100 \
    --firewall-policy=ORG_CHINA_BLOCK \
    --direction=INGRESS \
    --action=deny \
    --src-ip-ranges=58.16.0.0/13,58.24.0.0/15,58.30.0.0/15 \
    --enable-logging

Set up Cloud Monitoring alerts for unusual traffic patterns:

# Alert policy JSON configuration
{
  "displayName": "China IP Traffic Alert",
  "conditions": [
    {
      "conditionThreshold": {
        "filter": "metric.type=\"compute.googleapis.com/instance/network/received_bytes_count\" resource.type=\"gce_instance\"",
        "aggregations": [
          {
            "alignmentPeriod": "300s",
            "perSeriesAligner": "ALIGN_RATE"
          }
        ],
        "comparison": "COMPARISON_GT",
        "thresholdValue": 1000000,
        "duration": "60s",
        "trigger": {
          "count": 1
        }
      }
    }
  ],
  "combiner": "OR"
}

For public-facing services, configure HTTP(S) Load Balancing with geographic restrictions:

# Cloud CDN configuration with geo restrictions
gcloud compute backend-services add-backend web-backend-service \
    --instance-group=web-instance-group \
    --global

gcloud compute url-maps add-path-matcher web-map \
    --default-service web-backend-service \
    --path-matcher-name china-blocker \
    --new-hosts="*.yourdomain.com"

gcloud compute target-http-proxies create web-proxy \
    --url-map web-map \
    --region-filter="-CN"

For complete protection, implement these strategies in combination:

  1. Network-layer blocking through VPC firewall rules
  2. Application-layer protection via Cloud Armor
  3. Continuous monitoring with Cloud Logging
  4. Load balancer geo restrictions where applicable

Remember to test all rules in monitoring-only mode before enforcing blocks in production environments.

When running a GCE instance in North America, we've been experiencing significant ingress costs due to unsolicited connection attempts from Chinese IP ranges. Despite having standard firewall rules blocking China (CN IP ranges), we're still seeing SYN packets hitting port 11 (a common scanning target) and other ports.

Google's firewall operates at the instance level, meaning connection attempts still reach your VM before being dropped. Each packet consumes:

  • Network ingress costs
  • Small but measurable CPU cycles
  • Logging overhead

Here are three technical approaches we implemented that reduced unwanted traffic by 99.7%:

1. VPC Firewall Rules with Priority

gcloud compute firewall-rules create block-china-high-priority \
  --direction=INGRESS \
  --priority=1000 \
  --network=YOUR_VPC_NETWORK \
  --action=DENY \
  --rules=all \
  --source-ranges=$(curl -s https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/cn.cidr) \
  --target-tags=YOUR_INSTANCE_TAG

2. Cloud Armor Edge Policy

# Create a security policy
gcloud compute security-policies create block-cn-ips \
  --description "Blocks all Chinese IP ranges"

# Add rules (using CIDR list from above)
gcloud compute security-policies rules create 1000 \
  --security-policy block-cn-ips \
  --description "Deny China" \
  --src-ip-ranges=$(curl -s https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/cn.cidr) \
  --action "deny-403"

3. Instance-Level IPTables (for additional protection)

#!/bin/bash
# Save as /usr/local/bin/block-cn-ips.sh

CN_IPS_URL="https://raw.githubusercontent.com/herrbischoff/country-ip-blocks/master/ipv4/cn.cidr"
IPTABLES_BIN=$(which iptables)

# Flush existing rules
$IPTABLES_BIN -F INPUT

# Allow established connections
$IPTABLES_BIN -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block China
for ip in $(curl -s $CN_IPS_URL); do
  $IPTABLES_BIN -A INPUT -s $ip -j DROP
done

# Add your normal rules below
$IPTABLES_BIN -A INPUT -p tcp --dport 22 -j ACCEPT  # SSH
$IPTABLES_BIN -A INPUT -p tcp --dport 80 -j ACCEPT  # HTTP
$IPTABLES_BIN -A INPUT -p tcp --dport 443 -j ACCEPT # HTTPS

# Default deny
$IPTABLES_BIN -P INPUT DROP

After implementation, set up these monitoring tools:

  • Stackdriver logging for blocked connections
  • VPC Flow Logs analysis
  • Billing reports filtered by "Network Internet Egress"

Remember that:

  • CIDR lists need periodic updates (cron job suggestion in the iptables script)
  • Some legitimate traffic might originate from China (CDNs, VPNs)
  • Combine this with other security measures like SSH key authentication