Project: Deploy a Web Application with a WAF on GCP
Scenario
A small startup recently launched its first web application hosted on Google Cloud Platform (GCP). However, due to insufficient security measures, the app became vulnerable to attacks like SQL injection and cross-site scripting (XSS).
Now, the startup aims to enhance its application security by configuring Google Cloud Armor, GCP’s Web Application Firewall (WAF), to safeguard against common web threats.
Lab Objectives
In this project, you will:
- Launch a Virtual Machine (VM) to Host a Web Application.
- Set Up a Load Balancer with Cloud Armor.
- Configure Cloud Armor WAF Rules to Protect Against SQL Injection and XSS.
- Simulate Attacks to Test WAF Rules.
- Monitor Cloud Armor Logs for Insights.
Exercise 1: Launch a Virtual Machine to Host the Web Application
Objective
Deploy a simple web app hosted on a Compute Engine (GCE) instance.
Estimated Timing: 10-15 minutes
Step 1: Create a Compute Engine Virtual Machine (VM)
- Navigate to the GCP Console.
- Go to Compute Engine > VM Instances and click Create Instance.
- Configure the instance:
- Name:
demo-web-app
.
- Region: Choose a preferred region (e.g.,
us-central1
).
- Machine Type:
e2-micro
(Free Tier Eligible).
- Boot Disk: Use the Debian GNU/Linux image.
- Enable HTTP and HTTPS traffic under Firewall Settings.
- Click Create and wait for the VM to initialize.
Step 2: Deploy the Web Application
- Connect to the VM via SSH from the GCP Console.
- Install Apache Web Server:
sudo apt update
sudo apt install apache2 -y
sudo systemctl start apache2
- Create a simple HTML page:
echo "<h1>Welcome to the GCP Demo Web App</h1>" | sudo tee /var/www/html/index.html
- Verify the deployment by visiting the external IP of the VM in your browser (e.g.,
http://<external-ip>
).
Exercise 2: Set Up a Load Balancer with Cloud Armor
Objective
Deploy a Global HTTP(S) Load Balancer to route traffic to your web app and integrate it with Cloud Armor for WAF capabilities.
Estimated Timing: 20 minutes
Step 1: Create a Load Balancer
- Go to Network Services > Load Balancing in the GCP Console.
- Click Create Load Balancer and choose HTTP(S) Load Balancer.
- Configure the frontend:
- Name:
demo-lb
.
- Protocol: HTTP.
- Configure the backend:
- Instance Group: Create an instance group with your VM from Exercise 1.
- Health Check: Configure a basic HTTP health check on port 80.
- Review and click Create.
Step 2: Attach Cloud Armor to the Load Balancer
- Navigate to Cloud Armor Policies under Security.
- Create a new policy with the name
demo-waf-policy
.
- Associate the Cloud Armor policy with your load balancer.
Objective
Protect the web application using Cloud Armor rules for SQL injection and XSS.
Estimated Timing: 15 minutes
Step 1: Add Predefined WAF Rules
- Open your
demo-waf-policy
in Cloud Armor.
- Add rules to block specific attacks:
- SQL Injection: Enable the predefined
sqli-statement-detection
rule.
- XSS Attack: Enable the predefined
xss-detection
rule.
- Set the rule action to Deny to block malicious requests.
- Save your changes.
Step 2: Enable Logging for Cloud Armor
- Turn on logging for your Cloud Armor policy to capture details of blocked requests.
Exercise 4: Simulate Attacks to Test WAF Rules
Objective
Verify Cloud Armor’s effectiveness by simulating malicious requests.
Estimated Timing: 20 minutes
Step 1: Simulate SQL Injection
- Use curl or tools like Postman to send an HTTP request with an SQL injection payload:
curl -X POST http://<load-balancer-ip>/login \
-d "username=' OR 1=1; --"
- Verify that the request is blocked and returns a 403 Forbidden response.
Step 2: Simulate Cross-Site Scripting (XSS)
- Send a GET or POST request with an XSS payload:
curl -X GET http://<load-balancer-ip>/?search=<script>alert('XSS')</script>
- Confirm that the WAF blocks the request.
Exercise 5: Monitor Cloud Armor Logs for Insights
Objective
Analyze Cloud Armor logs to review blocked threats and refine WAF rules.
Estimated Timing: 15 minutes
Step 1: Enable Logging in Cloud Logging
- Go to Operations > Logging > Logs Explorer in the GCP Console.
- Filter logs to view entries from Cloud Armor.
Step 2: Analyze the Logs
- Use filters to identify blocked requests and examine details like:
Side Task: Once done, take a screenshot of the completed task and upload on LinkedIn including the Hashtag #cloudprojectwithcyberpreacher #CPwCP while sharing your experiences around the project.
Note: Ensure to delete every resources created during this project, to ensure cost management.