I have two Cloud Armor policies. Policy "A" is allowing our office network to connect to specific services. Policy "B" is allowing a customer to a service to consume an API.
I can not add the rule of Policy "B" to Policy "A" because then the rule (the customers ip) would've access to all services where Policy "A" is applied to. Therefore I separated it off to the a standalone Policy "B".
So I have now two different BackendConfig resources. One referencing to Policy "A" and one to Policy "B".
The next step I took was to somehow apply both cloud armor backend configs to one specific service. The office network should've access to that services plus the IP of our customer. This is how I thought it might work:
metadata:
annotations:
beta.cloud.google.com/backend-config: '{"default":{"policy-a-cloud-armor-backend-config","policy-b-cloud-armor-backend-config"}}'Unfortunately this does not work. In the policy panel in GCP the following warning appears:
This policy has not been applied to any targets yet, so the policy will not affect any traffic.Any idea how I can make this exclusive access possible?
This notification This policy has not been applied to any targets yet, so the policy will not affect any traffic indicates that a security policy is not bound to any of targets via backend configuration and annotations.
The annotation syntax does not look consistent with the documentation: the field ports is missing. It should be like this:
{"ports": {"http":"config-http", "http2" :"config-http2"}, "default": "config-default"} See Associating a Service port with a BackendConfig
It is hardly possible to apply two different security policies to the same set like service/port.
As a workaround, you can try an additional service with a special security policy that includes rules for both clients.