I'm having problems with traffic from China and Americas hitting my VM's in GCP, I already setup GCP Cloud Armor to block any traffic from outside Chile. But this is only the traffic than enter vía the site url, but if you type the ip u can enter anyways. This is driving up the cloud bill.
How I setup my vm's to only accept the traffic from the load balancer ? Thanks !
EDIT: I'm using unmanaged instance group.
The Google Cloud Armor security policy has a deny rule that blocks traffic from the IP address and from the particular regions.
You can configure Google Cloud Armor security policies, rules, and expressions by using the Google Cloud Console, the Google Cloud CLI, or the REST API. When you use the gcloud CLI to create security policies, use the --type flag to specify whether the security policy is a backend security policy or an edge security policy.
The following command adds a rule to block requests from the region China and America that are in the specified IP range:
gcloud compute security-policies rules create 1000 \
--security-policy my-policy \
--expression ("origin.region_code == 'CN' || 'US') && inIpRange(origin.ip, '1.2.3.0/24')" \
--action "deny-403" \
--description "country and IP block"
Refer this documentation for more information on blocking traffic from specific regions using Google Cloud Armor and refer to this documentation for region codes.