Question posted in 
I have deployed the Nginx Controller via External Passthrough LoadBalancer in GCP. I want to attach a Cloud Armor Security Policy to the LoadBalancer. According to the BackendConfig documentation it looks like it only support HTTP LoadBalancers configured via Ingress resource. What I want to get confirm is if I add the cloud.google.com/backend-config to the Nginx Controller service will it attach to the Cloud Armor Security Policy I have configured?
I have tried this but the backend service doesn’t seem to take an effect.
2
Answers
Passthrough load balancers by definition won’t work because Google is just forwarding the traffic and there’s no proxy where the security policy can’t be attached.
External passthrough Network Load Balancers are not proxies and GKE ingresses use proxy-based HTTPS Load balancer. Currently, Cloud Armor can only be integrated with the HTTP(S) Load Balancer. It allows you to apply security policies directly to your load balancer, effectively protecting all applications served behind it.
Google Cloud Armor protects your applications and websites against denial of service and web attacks. Since GKE Ingresses use proxy-based Google Cloud HTTP(s) Load Balancers, protection against L3 and L4 DDos attacks is enabled by default.
Applications can be also protected with Layer7 filtering by using Google Cloud Armor security policies. Once Google Cloud Armor security policy is configured, it can be used to protect services associated with a given ingress. Google Cloud Armor supports advanced network DDoS protection for external passthrough Network Load Balancers. For more information, see Configure advanced network DDoS protection.
You can refer to the Github documentation for setting up GKE Ingress with Google Cloud Armor protection.