How to determine the IP ranges used by the GCP load balancers

1
votes

How to determine the IP ranges used by the GCP load balancers

I am operating several VM instances on Google Cloud Platform (GCP). They are behind an HTTP(S) load balancer.

In order to restrict the access based on the origin IP address, I configured the Nginx on each VM instance as follows:

server {
  listen 80;
  listen [::]:80;
  server_name www.example.com;

  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
  set_real_ip_from 130.211.0.0/22; # GCP load balancers
  set_real_ip_from 35.191.0.0/16;  # GCP load balancers

  ...
}

I found the IP ranges 130.211.0.0/22 and 35.191.0.0/16 on the Firewall rules section of "HTTP(S) Load Balancing Concepts" document page.

But, in the actual operation, I noticed that accesses could come from another IP range 35.190.0.0/17.

So, I consulted a section of the Google Compute Engine FAQ and I learned that I can get the list of all public IP ranges of GCP.

This list is very long and seems to include the IP ranges that are not used by the load balancers.

I have two questions:

  1. How can I determine the IP ranges used by the GCP load balancers?
  2. How can I update the Nginx configuration when the IP ranges change?
2
nginxgoogle-cloud-platformgoogle-compute-engine
Just a small clarification, the ranges listed in the LB firewall section are the IP ranges that the actual Load Balancers have, not the IPs you assign to your Load Balancer Front end. The IPs you assign to your front end can be any external Google IP address. External IPs from this group can be assigned to VMs, Load Balancer Front Ends or any other resource that requires an external IPPatrick W
Patrick, do you mean that we cannot know whether an HTTP request comes to the backend through any GCP load balancer or not?Tsutomu
yes you can, requests will come from 4 different ranges listed in the Load Balancer firewall section. But those IP ranges are not the same as the ones you assign as the external IP to your LB front end. the 35.19.0.0/17 is part of Google's external IP ranges, but it is not reserved for any specific usePatrick W
Patric, which page do you refer by the Load Balancer firewall section? I see only two ranges on cloud.google.com/load-balancing/docs/https/#firewall_rules.Tsutomu
So the documentation isn't great, only the two you mentioned are actually documented properly. There are two other ranges used that you will notice when running kubernetes ingress resources: 209.85.204.0/22 and 209.85.152.0/22Patrick W

2 Answers

3
votes

Its not that long, I would just put them all in a separate file and include that in your Nginx config.

Then just run a bash script as a cron job to create a new config file, compare it with the current one and restart Nginx if necessary.

Something like this should get you started:

for i in $(host -t txt _cloud-netblocks.googleusercontent.com | egrep -o "_cloud-netblocks[0-9]+\.googleusercontent.com"); do
host -t txt "$i" | egrep -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\/[0-9]+" | sed -e 's/^/set_real_ip_from /' -e 's/$/;/' >> newhostsfile;
done;
diff -N newhostsfile hostsfile > /dev/null && rm newhostsfile || mv newhostsfile hostsfile | nginx -s reload;
2
votes

I ran into this exact same issue while testing a deployment on Google Kubernetes Engine. I found out that if you assign a static IP address to your load balancer, that is the additional IP address that traffic will be forwarded from. Static IP addresses are always out of the listed range for Google's load balancers since they can be reserved for purposes other than load balancing. In my case I whitelisted the range that Google listed along with my static IP and everything is working fine; traffic doesn't get forwarded from any other IP addresses.

Whitelisting the entire range of Google's IP addresses might open a security hole where someone will be able to spoof their IP on your site. If someone uses a Google Compute Engine instance that is assigned one of Google's IPs that you whitelisted, they will be able to spoof their IP by changing the forwarded-for headers.