Integrate the GCP Callout Enforcer

If your organization uses Google Cloud, you can use HUMAN’s Google Cloud Provider (GCP) Callout Enforcer to protect against malicious behavior. The Enforcer is implemented in two phases:

Integrate your GCP Load Balancer (LB) with the Enforcer via GCP commands
Configure the Enforcer’s settings and behavior

Prerequisites

Appropriate permissions in GCP to:
- Create Network Endpoint Groups (NEGs) for each necessary region
- Manage Load Balancers
Your Load Balancer is supported by Google Service Extensions. These are:
- External Application Load Balancers
- Internal Application Load Balancers
The following items provided by HUMAN. Contact us if you have not received these already.
- A service link for your region
- An enforcer.yaml file
- Your remote_config_auth_token value
Your unique HUMAN information:
- Your Application ID. You can find this under Platform Settings > Applications > Overview in the HUMAN console. If you have multiple environments, you will also have multiple Application IDs, so be sure to choose the correct ID for the environment you want to install on.
- Your Server Token. You can find this under Platform Settings > Applications > Status & Settings > Server Token.
- Your Risk Cookie Key. You can find this under Bot Defender > Policies > Policy Settings > Policy Information.
- Your Remote Config Auth Token.

Integrate the GCP Load Balancer

To start, you must create an NEG and regional backend for each supported region to provide the Enforcer service to your LB. This can be completed with the Google Cloud console commands.

Create the NEG with the following command:

$ gcloud compute network-endpoint-groups create neg-enforcer-us-west-1 \
>         --project $CUSTOMER_PROJECT \
>         --region us-west1 \
>         --network-endpoint-type=private-service-connect \
>         --psc-target-service=$HUMAN_PSC_ENDPOINT

Create the regional backend service with the following commands:

Create the backend service

$ gcloud compute backend-services create psc-svc-ext-backend \
> --load-balancing-scheme EXTERNAL_MANAGED \
> --enable-logging \
> --protocol HTTP2 \
> --project $CUSTOMER_PROJECT \
> --region us-west1
$ 
$ gcloud compute backend-services add-backend psc-svc-ext-backend \
> --project $CUSTOMER_PROJECT \
> --network-endpoint-group neg-enforcer-us-west-1 \
> --network-endpoint-group-region us-west1

Repeat the steps for any additional regions you need to support.

Configure the Enforcer

From the Google Clould console, get the LB forwarding rule link with the following command:
- Replace [FOWARDING-RULE] with your forwarding rule name
- Replace [REGION] with the LB’s region
- Replace [PROJECT] with the LB’s project

$ gcloud compute forwarding-rules describe [FORWARDING-RULE]  --region=[REGION] --project=[PROJECT] --format 'value(selfLink) '

Copy and save the selfLink value that appears.
Get the regional backend service link with the following command:
- Replace [BACKEND] with the regional backend service name
- Replace [REGION] with the LB’s region
- Replace [PROJECT] with the LB’s project

$ gcloud compute backend-services describe [BACKEND]  --region=[REGION] --project=[PROJECT] --format='value(selfLink)

Copy and save the selfLink value that appears.
Update the enforcer.yaml file with the following:
- Replace the forwardingRules value with the LB forwarding rule link you saved in Step 2.
- Replace the service value with the regional backend service link you saved in Step 4.
- Update the metadata section with the following:
  - app_id: Your HUMAN Application ID
  - auth_token: Your HUMAN server token
  - cookie_secret: Your HUMAN risk cookie key
  - remote_config_auth_token: The token provided by HUMAN used to authenticate the Enforcer via the HUMAN Remote Configuration UI. For now, HUMAN will set up your Enforcer configuration.
- Update the celExpression section to include or exclude any specific requests from sending to the Enforcer. See Google’s CEL matcher language reference for more information.

1 name: traffic-ext
2 loadBalancingScheme: EXTERNAL_MANAGED
3 forwardingRules:
4   - https://www.googleapis.com/compute/v1/projects/... # replace with the LB forwarding rule link
5 extensionChains:
6   - name: "human-enforcer"
7     matchedCondition:
8       celExpression: 'request.path.startsWith("/")'
9     extensions:
10     - name: 'human-enforcer-extension'
11       authority: humansecurity.com
12       service: https://www.googleapis.com/compute/v1/projects/... # replace with HUMAN service URL
13       failOpen: false
14       timeout: 1s
15       supportedEvents:
16         - REQUEST_HEADERS
17 metadata:
18   app_id: "REPLACE" # your application ID
19   auth_token: "REPLACE" # your server token
20   cookie_secret: "REPLACE" # your risk cookie key
21   remote_config_auth_token: "REPLACE" # your remote configuration token

Configure the HUMAN Enforcer traffic extension with the GCLoud command:
- Replace [REGION] with the LB’s region
- Replace [PROJECT] with the LB’s project

$ gcloud service-extensions lb-traffic-extensions import traffic-ext     --source=enforcer.yaml --location=[REGION] --project=[PROJECT]

Repeat the steps for any additional regions you need to support.
Wait for HUMAN to accept your connection and allow access to the published service.

For each network-endpoint-groups you create for a region, HUMAN receives a pending connection. While you cannot use the Enforcer until HUMAN accepts each connection, we recommend you continue to configure your project so the Enforcer is ready as soon as HUMAN accepts.

You have successfully configured your GCP Callout Enforcer.