When deploying an HTTP(S) load balancer on Google Cloud Platform, you might need to restrict access to specific IP ranges for security or compliance reasons. Unlike traditional Compute Engine instances where you can directly apply VPC firewall rules, load balancers require a different approach.
GCP doesn't allow direct VPC firewall rules on HTTP(S) load balancers. Instead, you need to use Cloud Armor security policies. Here's how to implement IP-based access control:
# Create a security policy
gcloud compute security-policies create restrict-ip-access \
--description "Allow only specific IP ranges"
# Add rules to the policy
gcloud compute security-policies rules create 1000 \
--security-policy restrict-ip-access \
--src-ip-ranges "203.0.113.0/24,198.51.100.10/32" \
--action "allow"
# Add a default deny rule
gcloud compute security-policies rules create 2147483647 \
--security-policy restrict-ip-access \
--action "deny-403" \
--description "Default deny rule"
# Apply the policy to your backend service
gcloud compute backend-services update YOUR_BACKEND_SERVICE_NAME \
--security-policy restrict-ip-access \
--global
For more granular control beyond IP restrictions, consider using IAP:
# Enable IAP on your backend service
gcloud iap web enable --resource-type=backend-services \
--service=YOUR_BACKEND_SERVICE_ID
# Add IAP members
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=YOUR_BACKEND_SERVICE_ID \
--member='user:admin@example.com' \
--role='roles/iap.httpsResourceAccessor'
If your restrictions aren't working:
- Verify the policy is attached to the correct backend service
- Check for conflicting rules in the security policy
- Confirm the IP ranges are correctly formatted
- Wait 5-10 minutes for changes to propagate
Set up logging to track allowed/blocked requests:
# Enable logging for your security policy
gcloud compute security-policies update restrict-ip-access \
--enable-logging
Then view logs in Cloud Logging with:
resource.type="http_load_balancer"
jsonPayload.enforcedSecurityPolicy.name="restrict-ip-access"
When using Google Cloud's HTTP(S) load balancer, you might need to restrict access to specific IP ranges for security or compliance reasons. Unlike traditional VM instances where you can directly apply VPC firewall rules, load balancers require a different approach.
GCP provides Cloud Armor as the security layer for load balancers. Here's how to implement IP-based restrictions:
# Create a security policy
gcloud compute security-policies create restrict-ips \
--description "Allow only specific IP ranges"
# Add rules to the policy
gcloud compute security-policies rules create 1000 \
--security-policy restrict-ips \
--src-ip-ranges "203.0.113.0/24,198.51.100.0/24" \
--action "allow"
# Create a deny-all rule with lower priority
gcloud compute security-policies rules create 2147483647 \
--security-policy restrict-ips \
--src-ip-ranges "*" \
--action "deny-403"
# Apply the policy to your load balancer
gcloud compute backend-services update YOUR_BACKEND_SERVICE \
--security-policy restrict-ips \
--global
For web applications, you can combine Identity-Aware Proxy (IAP) with your load balancer:
# Enable IAP on your backend service
gcloud iap web enable --resource-type=backend-services \
--service=YOUR_BACKEND_SERVICE_ID
# Configure IAP access
gcloud iap web add-iam-policy-binding \
--resource-type=backend-services \
--service=YOUR_BACKEND_SERVICE_ID \
--member='user:admin@example.com' \
--role='roles/iap.httpsResourceAccessor'
If your rules aren't working as expected:
- Verify the policy is attached to the correct backend service
- Check rule priorities (lower numbers execute first)
- Ensure there's no conflicting organization policy
- Test from both allowed and blocked IPs
For systems requiring frequent IP updates, consider automating policy management:
#!/bin/bash
# Update Cloud Armor policy with new IPs
NEW_IPS="203.0.113.0/24,198.51.100.0/24,192.0.2.0/24"
gcloud compute security-policies rules update 1000 \
--security-policy restrict-ips \
--src-ip-ranges="${NEW_IPS}" \
--action "allow"