Integrate the GCP Callout Enforcer

If your organization uses Google Cloud, you can use HUMAN's Google Cloud Provider (GCP) Callout Enforcer to protect against malicious behavior. The Enforcer is implemented in two phases:

1. Integrate your GCP Load Balancer (LB) with the Enforcer via GCP commands
2. Configure the Enforcer's settings and behavior

Prerequisites

• Appropriate permissions in GCP to:
  • Create Network Endpoint Groups (NEGs) for each necessary region
  • Manage Load Balancers
• Your Load Balancer is supported by Google Service Extensions. These are:
  • External Application Load Balancers
  • Internal Application Load Balancers
• The following items provided by HUMAN. Contact us if you have not received these already.
  • A service link for your region
  • An enforcer.yaml file
  • Your remote_config_auth_token value
• Your unique HUMAN information:
  • Your Application ID. You can find this under Platform Settings > Applications > Overview in the HUMAN console. If you have multiple environments, you will also have multiple Application IDs, so be sure to choose the correct ID for the environment you want to install on.
  • Your Server Token. You can find this under Platform Settings > Applications > Status & Settings > Server Token.
  • Your Risk Cookie Key. You can find this under Bot Defender > Policies > Policy Settings > Policy Information.
  • Your Remote Config Auth Token.

Integrate the GCP Load Balancer

To start, you must create an NEG and regional backend for each supported region to provide the Enforcer service to your LB. This can be completed with the Google Cloud console commands.

1. Create the NEG with the following command:

gcloud compute network-endpoint-groups create neg-enforcer-us-west-1 \
        --project $CUSTOMER_PROJECT \
        --region us-west1 \
        --network-endpoint-type=private-service-connect \
        --psc-target-service=$HUMAN_PSC_ENDPOINT

2. Create the regional backend service with the following commands:

gcloud compute backend-services create psc-svc-ext-backend \
--load-balancing-scheme EXTERNAL_MANAGED \
--enable-logging \
--protocol HTTP2 \
--project $CUSTOMER_PROJECT \
--region us-west1

gcloud compute backend-services add-backend psc-svc-ext-backend \
--project $CUSTOMER_PROJECT \
--network-endpoint-group neg-enforcer-us-west-1 \
--network-endpoint-group-region us-west1

3. Repeat the steps for any additional regions you need to support.

Configure the Enforcer

1. From the Google Clould console, get the LB forwarding rule link with the following command:
   • Replace [FOWARDING-RULE] with your forwarding rule name
   • Replace [REGION] with the LB's region
   • Replace [PROJECT] with the LB's project

gcloud compute forwarding-rules describe [FORWARDING-RULE]  --region=[REGION] --project=[PROJECT] --format 'value(selfLink) '

2. Copy and save the selfLink value that appears.
3. Get the regional backend service link with the following command:
   • Replace [BACKEND] with the regional backend service name
   • Replace [REGION] with the LB's region
   • Replace [PROJECT] with the LB's project

gcloud compute backend-services describe [BACKEND]  --region=[REGION] --project=[PROJECT] --format='value(selfLink)

4. Copy and save the selfLink value that appears.
5. Update the enforcer.yaml file wit the following:
   • Replace the forwardingRules value with the LB forwarding rule link you saved in Step 2.
   • Replace the service value with the regional backend service link you saved in Step 4.
   • Update the metadata section with the following:
     • app_id: Your HUMAN Application ID
     • auth_token: Your HUMAN server token
     • cookie_secret: Your HUMAN risk cookie key
     • remote_config_auth_token: The token provided by HUMAN used to authenticate the Enforcer via the HUMAN Remote Configuration UI. For now, HUMAN will set up your Enforcer configuration.
   • Update the celExpression section to include or exclude any specific requests from sending to the Enforcer. See Google's CEL matcher language reference for more information.

name: traffic-ext
loadBalancingScheme: EXTERNAL_MANAGED
forwardingRules:
  - https://www.googleapis.com/compute/v1/projects/... # replace with the LB forwarding rule link
extensionChains:
  - name: "human-enforcer"
    matchedCondition:
      celExpression: 'request.path.startsWith("/")'
    extensions:
    - name: 'human-enforcer-extension'
      authority: humansecurity.com
      service: https://www.googleapis.com/compute/v1/projects/... # replace with HUMAN service URL
      failOpen: false
      timeout: 1s
      supportedEvents:
        - REQUEST_HEADERS
metadata:
  app_id: "REPLACE" # your application ID
  auth_token: "REPLACE" # your server token
  cookie_secret: "REPLACE" # your risk cookie key
  remote_config_auth_token: "REPLACE" # your remote configuation token

6. Configure the HUMAN Enforcer traffic extension with the GCLoud command:
   • Replace [REGION] with the LB's region
   • Replace [PROJECT] with the LB's project

gcloud service-extensions lb-traffic-extensions import traffic-ext     --source=enforcer.yaml --location=[REGION] --project=[PROJECT]

7. Repeat the steps for any additional regions you need to support.
8. Wait for HUMAN to accept your connection and allow access to the published service.

📘

Note

For each network-endpoint-groups you create for a region, HUMAN receives a pending connection. While you cannot use the Enforcer until HUMAN accepts each connection, we recommend you continue to configure your project so the Enforcer is ready as soon as HUMAN accepts.

You have successfully configured your GCP Callout Enforcer.