· İLİDYAN YAZILIM HİZMETLERİ LTD. ŞTİ · Cloud Security · 8 min read
How to Setup Rate Limiting Rules in Google Cloud Security Policy for Load Balancer Backends
Learn how to implement rate limiting using Google Cloud Security Policy and attach it to your load balancer backends to protect against traffic spikes and DDoS attacks.
Rate limiting is a crucial security mechanism that helps protect your applications from traffic spikes, DDoS attacks, and abuse. Google Cloud Security Policy (part of Cloud Armor) provides powerful rate limiting capabilities that can be easily integrated with your load balancer backends.
In this comprehensive guide, we’ll explore how to create and configure rate limiting rules using Google Cloud Security Policy and attach them to your load balancer backends for robust traffic management and security.
Understanding Google Cloud Security Policy
Google Cloud Security Policy is a security service that provides:
- DDoS Protection: Automatic protection against volumetric attacks
- Rate Limiting: Configurable rules to limit request rates
- Geographic Filtering: Block or allow traffic from specific regions
- IP Allowlisting/Denylisting: Control access based on IP addresses
- Custom Rules: Create complex security rules using expressions
Benefits of Rate Limiting
- Prevent Resource Exhaustion: Protect backend services from overload
- Cost Control: Manage compute and bandwidth costs
- Fair Usage: Ensure equitable resource distribution among users
- Security: Mitigate brute force attacks and abuse
- Performance: Maintain consistent application performance
Prerequisites
Before implementing rate limiting, ensure you have:
- A Google Cloud Project with billing enabled
- Compute Engine API enabled
- Cloud Armor API enabled
- An existing load balancer with backend services
- Appropriate IAM permissions (Security Admin, Compute Security Admin)
- Google Cloud SDK installed and configured
Step 1: Create a Security Policy
First, let’s create a basic security policy that will contain our rate limiting rules.
Using Google Cloud Console
- Navigate to Network Security > Cloud Armor in the Google Cloud Console
- Click Create Policy
- Enter a policy name (e.g.,
rate-limiting-policy) - Choose Backend security policy as the policy type
- Click Create
Using gcloud CLI
# Create a new security policy
gcloud compute security-policies create rate-limiting-policy \
--description="Security policy with rate limiting rules" \
--type=CLOUD_ARMORStep 2: Configure Rate Limiting Rules
Now let’s add rate limiting rules to our security policy. We’ll create different types of rules for various scenarios.
Basic Rate Limiting Rule
This rule limits requests per client IP address:
# Create a basic rate limiting rule
gcloud compute security-policies rules create 1000 \
--security-policy=rate-limiting-policy \
--expression="true" \
--action=rate-based-ban \
--rate-limit-threshold-count=100 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=600 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPAdvanced Rate Limiting with Custom Expression
For more granular control, you can use custom expressions:
# Rate limiting for specific paths
gcloud compute security-policies rules create 2000 \
--security-policy=rate-limiting-policy \
--expression="request.path.matches('/api/.*')" \
--action=rate-based-ban \
--rate-limit-threshold-count=50 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=300 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPRate Limiting by User Agent
Limit requests based on user agent patterns:
# Rate limiting for specific user agents
gcloud compute security-policies rules create 3000 \
--security-policy=rate-limiting-policy \
--expression="has(request.headers['user-agent']) && request.headers['user-agent'].matches('.*bot.*')" \
--action=rate-based-ban \
--rate-limit-threshold-count=10 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=1800 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPRate Limiting by HTTP Method
Different limits for different HTTP methods:
# Stricter limits for POST requests
gcloud compute security-policies rules create 4000 \
--security-policy=rate-limiting-policy \
--expression="request.method == 'POST'" \
--action=rate-based-ban \
--rate-limit-threshold-count=20 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=900 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPStep 3: Configure Advanced Rate Limiting Options
Enforce on Key Options
You can enforce rate limiting based on different keys:
- IP: Per client IP address (default)
- HTTP_HEADER: Based on specific HTTP headers
- XFF_IP: Using X-Forwarded-For header
- HTTP_COOKIE: Based on cookie values
- HTTP_PATH: Based on request path
- SNI: Based on Server Name Indication
Example with HTTP header enforcement:
# Rate limiting based on API key header
gcloud compute security-policies rules create 5000 \
--security-policy=rate-limiting-policy \
--expression="has(request.headers['x-api-key'])" \
--action=rate-based-ban \
--rate-limit-threshold-count=1000 \
--rate-limit-threshold-interval-sec=3600 \
--ban-duration-sec=3600 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=HTTP_HEADER \
--enforce-on-key-name="x-api-key"Exceed Actions
Configure what happens when rate limits are exceeded:
- deny-429: Return HTTP 429 (Too Many Requests)
- deny-403: Return HTTP 403 (Forbidden)
- deny-404: Return HTTP 404 (Not Found)
- deny-502: Return HTTP 502 (Bad Gateway)
Conform Actions
Configure what happens when requests are within limits:
- allow: Allow the request to proceed
- deny-XXX: Deny with specific HTTP status code
Step 4: Create Adaptive Protection Rules
Google Cloud also offers adaptive protection that automatically adjusts to traffic patterns:
# Enable adaptive protection
gcloud compute security-policies update rate-limiting-policy \
--enable-layer7-ddos-defense \
--layer7-ddos-defense-rule-visibility=STANDARDStep 5: Attach Security Policy to Backend Service
Now let’s attach our security policy to a backend service:
Using gcloud CLI
# Attach security policy to backend service
gcloud compute backend-services update my-backend-service \
--global \
--security-policy=rate-limiting-policyVerify Attachment
# Verify the security policy is attached
gcloud compute backend-services describe my-backend-service \
--global \
--format="value(securityPolicy)"Step 6: Configure Multiple Backend Services
If you have multiple backend services, you can attach the same policy or create specific policies:
# Attach to multiple backend services
gcloud compute backend-services update api-backend-service \
--global \
--security-policy=rate-limiting-policy
gcloud compute backend-services update web-backend-service \
--global \
--security-policy=rate-limiting-policyStep 7: Monitor and Test Rate Limiting
Testing Rate Limiting
Use tools like curl or ab (Apache Bench) to test your rate limiting:
# Test with curl in a loop
for i in {1..150}; do
curl -w "%{http_code}\n" -o /dev/null -s https://your-domain.com/api/test
sleep 0.1
done# Test with Apache Bench
ab -n 200 -c 10 https://your-domain.com/api/testMonitoring in Cloud Console
- Navigate to Network Security > Cloud Armor
- Click on your security policy
- View the Monitoring tab for:
- Request volume
- Blocked requests
- Rule matches
- Geographic distribution
Using Cloud Monitoring
Set up alerts for rate limiting events:
# Create an alerting policy for rate limiting
gcloud alpha monitoring policies create \
--policy-from-file=rate-limit-alert-policy.yamlExample alert policy YAML:
displayName: "Rate Limiting Alert"
conditions:
- displayName: "High rate limiting activity"
conditionThreshold:
filter: 'resource.type="gce_backend_service" AND metric.type="loadbalancing.googleapis.com/https/backend_request_count"'
comparison: COMPARISON_GREATER_THAN
thresholdValue: 1000
duration: 300s
notificationChannels:
- "projects/PROJECT_ID/notificationChannels/CHANNEL_ID"Step 8: Advanced Configuration Examples
Geographic Rate Limiting
Combine geographic filtering with rate limiting:
# Different rate limits for different regions
gcloud compute security-policies rules create 6000 \
--security-policy=rate-limiting-policy \
--expression="origin.region_code == 'US'" \
--action=rate-based-ban \
--rate-limit-threshold-count=200 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=300 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPTime-based Rate Limiting
Create rules that apply during specific time periods:
# Higher limits during business hours
gcloud compute security-policies rules create 7000 \
--security-policy=rate-limiting-policy \
--expression="request.time.getHours() >= 9 && request.time.getHours() <= 17" \
--action=rate-based-ban \
--rate-limit-threshold-count=500 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=180 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IPCustom Response for Rate Limiting
Configure custom responses when rate limits are exceeded:
# Create a custom error page
gcloud compute security-policies rules create 8000 \
--security-policy=rate-limiting-policy \
--expression="true" \
--action=rate-based-ban \
--rate-limit-threshold-count=100 \
--rate-limit-threshold-interval-sec=60 \
--ban-duration-sec=600 \
--conform-action=allow \
--exceed-action=deny-429 \
--enforce-on-key=IP \
--rate-limit-exceed-redirect-type=EXTERNAL_302 \
--rate-limit-exceed-redirect-target="https://your-domain.com/rate-limited"Best Practices
1. Start Conservative
Begin with higher thresholds and gradually tighten based on traffic patterns:
# Initial conservative rule
--rate-limit-threshold-count=1000
--rate-limit-threshold-interval-sec=602. Use Appropriate Ban Durations
- Short bans (60-300s): For legitimate traffic spikes
- Medium bans (300-1800s): For suspicious activity
- Long bans (1800s+): For clear abuse patterns
3. Implement Graduated Response
Create multiple rules with increasing severity:
# Warning rule (priority 1000)
--rate-limit-threshold-count=80
--exceed-action=allow # Log but don't block
# Blocking rule (priority 2000)
--rate-limit-threshold-count=100
--exceed-action=deny-4294. Monitor and Adjust
Regularly review rate limiting metrics and adjust thresholds:
- Monitor false positives
- Analyze traffic patterns
- Adjust based on business requirements
- Consider seasonal variations
5. Whitelist Critical IPs
Exclude critical services from rate limiting:
# Whitelist monitoring services
gcloud compute security-policies rules create 100 \
--security-policy=rate-limiting-policy \
--expression="inIpRange(origin.ip, '203.0.113.0/24')" \
--action=allowTroubleshooting Common Issues
1. Rate Limiting Not Working
Check:
- Security policy is attached to backend service
- Rules are properly configured
- Priority order is correct
- Expressions are valid
# Verify policy attachment
gcloud compute backend-services describe BACKEND_SERVICE \
--global \
--format="value(securityPolicy)"2. False Positives
Solutions:
- Increase thresholds
- Adjust time windows
- Use more specific expressions
- Implement whitelisting
3. Performance Impact
Optimization:
- Use efficient expressions
- Minimize rule complexity
- Consider rule priority order
- Monitor latency metrics
4. Logging and Debugging
Enable detailed logging:
# Enable security policy logging
gcloud compute security-policies update rate-limiting-policy \
--enable-logging \
--log-level=VERBOSEIntegration with Other Services
Cloud CDN
Combine with Cloud CDN for better performance:
# Enable Cloud CDN on backend service
gcloud compute backend-services update my-backend-service \
--global \
--enable-cdn \
--cache-mode=CACHE_ALL_STATICCloud Monitoring
Set up comprehensive monitoring:
# Create custom metrics for rate limiting
gcloud logging metrics create rate_limit_exceeded \
--description="Rate limit exceeded events" \
--log-filter='resource.type="gce_backend_service" AND jsonPayload.enforcedSecurityPolicy.name="rate-limiting-policy"'Alerting
Configure alerts for rate limiting events:
# Alert policy for excessive rate limiting
displayName: "Excessive Rate Limiting"
conditions:
- displayName: "High rate limit blocks"
conditionThreshold:
filter: 'metric.type="logging.googleapis.com/user/rate_limit_exceeded"'
comparison: COMPARISON_GREATER_THAN
thresholdValue: 100
duration: 300sSecurity Considerations
1. DDoS Protection
Rate limiting is part of a comprehensive DDoS protection strategy:
- Enable adaptive protection
- Use geographic filtering
- Implement IP reputation rules
- Monitor for attack patterns
2. Application-Level Protection
Combine with application-level rate limiting:
- API gateway rate limiting
- Database connection limits
- Application-specific throttling
- Circuit breaker patterns
3. Compliance
Ensure rate limiting meets compliance requirements:
- Log retention policies
- Data privacy considerations
- Audit trail requirements
- Incident response procedures
Cost Optimization
1. Rule Efficiency
Optimize rules for cost and performance:
- Use specific expressions
- Minimize rule complexity
- Consider rule evaluation order
- Regular rule cleanup
2. Monitoring Costs
Monitor Cloud Armor costs:
- Request volume charges
- Rule evaluation costs
- Logging expenses
- Storage costs
Conclusion
Implementing rate limiting with Google Cloud Security Policy provides robust protection against traffic abuse while maintaining application performance. The combination of flexible rule configuration, multiple enforcement options, and comprehensive monitoring makes it an essential tool for modern cloud applications.
Key takeaways:
- Start Conservative: Begin with higher thresholds and adjust based on data
- Monitor Continuously: Regular monitoring prevents false positives
- Layer Security: Combine with other security measures for comprehensive protection
- Test Thoroughly: Validate rate limiting behavior before production deployment
By following this guide, you’ll have a production-ready rate limiting solution that protects your applications while providing the flexibility to adapt to changing traffic patterns.
Remember to regularly review and update your rate limiting rules based on traffic analysis, security threats, and business requirements. Rate limiting is not a set-and-forget solution but requires ongoing optimization and monitoring.
Additional Resources
- Google Cloud Armor Documentation
- Security Policy Rules Reference
- Rate Limiting Best Practices
- Cloud Armor Monitoring
- DDoS Protection Guide
For enterprise-grade security implementations, consider working with Google Cloud security specialists to design comprehensive protection strategies tailored to your specific requirements and threat landscape.
