I have successful secured my backend services using cloud armor and applying white listing or black listing. Supposing that there is traffic coming from some specific addresses, is there any way to detect them automatically based on the frequency without iterating over the StackDriver logs? If so is there any way to blacklist them in an automated way?
Cloud Armor does not offer "intelligent" features at the moment. As stated in the Google public docs, it has straight policies for white-listing or blacklisting CIDR ranges. What can be done (not simple, considerable effort required) is to create Stackdriver sink and export the logs for blacklisted IPs. based on the logs captured, there could be cloud function jobs to monitor the logs and then kick off the creation of cloud armor policies to block the offending IPs.But as mentioned, this is not simple. considerable effort required.