Level Up Your Security: Google Cloud Enhances Load Balancers with HUMAN Security’s Anti-Fraud Expertise
Read time: 5 minutesRobert Kusters
In today’s rapidly evolving digital world, where threats are constantly emerging and user expectations are higher than ever, maintaining a secure, reliable, and high-performing online presence is critical. Google Cloud Application Load Balancers have long been a cornerstone of this effort, expertly managing traffic and ensuring seamless user experiences. Now, Google Cloud takes application security and customization to the next level with Service Extensions callouts for all Google Cloud Application Load balancers, including the global external, regional external, regional internal, and cross-regional internal load balancers.
Google Cloud’s Service Extensions callouts now seamlessly integrates with HUMAN Security, a leading provider of advanced bot mitigation and fraud prevention solutions. This strategic partnership allows customers to leverage HUMAN Security’s cutting-edge technology directly within their Google Cloud Application Load Balancers. By analyzing traffic patterns and user behavior in real-time, HUMAN Security can intelligently detect and block malicious bot activity, account takeover attempts, and other fraudulent behavior before it reaches your applications. This integration not only strengthens defenses against sophisticated threats but also streamlines security operations.
Setup Overview
HUMAN shares Regional Enforcer Service via Private Service Connect (PSC).
Clients (service consumers) should use Network endpoint group (NEG) to create a Regional Backend, which will provide Enforcer Service to their Application Load Balancer. Clients will need to create NEGs for each supported Region.
Clients should enable “Service Extensions” on their Application Load Balancer to send callouts to Enforcer backend service.
Supported Load Balancers:
- External Application Load Balancer
- Internal Application Load Balancers
Enforcer Setup Instructions:
- Create a Network Endpoint Group for selected Region (Computer Engine -> Network endpoint groups):
- NEG type: Private Service Connect NEG (Regional)
- Target: Published service
- Target service: copy Service Link for the selected Region (provided by HUMAN).
- Network: select Load Balancer network
- HUMAN will need to accept the Client’s connection and allow access to published Service
- Create a Regional backend service (Network Services -> Load balancing -> Backends)
- Select “Regional backend service”
- Select Region (Backend Region must match NEG Region)
- Backend type: Private Service Connect NEG
- Protocol: HTTP/2
- New Backend: select NEG created in Step #1
Here are the equivalent gcloud commands:
gcloud compute backend-services create psc-svc-ext-backend \
--load-balancing-scheme EXTERNAL_MANAGED \
--enable-logging \
--protocol HTTP2 \
--project $CUSTOMER_PROJECT \
--region us-west1
gcloud compute backend-services add-backend psc-svc-ext-backend \
--project $CUSTOMER_PROJECT \
--network-endpoint-group neg-enforcer-us-west-1 \
--network-endpoint-group-region us-west1
- Get Load Balancer “forwarding rule” link:
- In “gcloud” console type the following command:
gcloud compute forwarding-rules describe [FORWARDING-RULE] –region=[REGION] –project=[PROJECT] –format ‘value(selfLink) ‘ - Replace:
- [FORWARDING-RULE] with Load Balancer Forwarding Rule name
- [REGION] with Load Balancer Region
- [PROJECT] with Load Balancer Project
- Save “selfLink” value you see on the screen.
- In “gcloud” console type the following command:
- Get Regional backend service link:
- In “gcloud” console type the following command:
gcloud compute backend-services describe [BACKEND] –region=[REGION] –project=[PROJECT] - Replace:
- [BACKEND] with Regional backend service name, created in Step #3
- [REGION] with Load Balancer Region
- [PROJECT] with Load Balancer Project
- Search and save “selfLink” value.
- In “gcloud” console type the following command:
- Adjust enforcer.yaml file (provided by HUMAN):
- Replace forwardingRules link with selfLink from Step #4
- Replace service link with selfLink from Step #5
- Adjust “metadata” section:
- app_id / auth_token: Application ID / AppId and Token / Auth Token can be found in the Portal, in the “Applications” section.
- cookie_secret: Cookie Encryption Key can be found in the portal, in the “Policies” section.
- remote_config_auth_token: The token used to authenticate the enforcer with the HUMAN remote configuration service.
- Adjust “celExpression” section to include / exclude particular requests from sending to the Enforcer. Please refer to “CEL matcher language” reference page: https://cloud.google.com/service-extensions/docs/cel-matcher-language-reference
- Finally configure HUMAN Enforcer traffic extension:
- In “gcloud” console type the following command:
gcloud service-extensions lb-traffic-extensions import traffic-ext –source=enforcer.yaml –location=[REGION] –project=[PROJECT] - Replace:
- [REGION] with Load Balancer Region
- [PROJECT] with Load Balancer Project
- In “gcloud” console type the following command:
Benefits of the integration
- Improves security by keeping malicious traffic away from the web servers;
- Enhances user experience – faster load time given decreased web server traffic; and,
- Creates potential cost savings since fewer web servers may be required (assuming the message cost of callouts does not offset the savings).
Conclusion
The integration of HUMAN Security with Google Cloud’s Service Extensions callouts marks a significant advancement in the fight against online fraud and abuse. By combining the scalability and performance of Google Cloud’s infrastructure with HUMAN Security’s advanced threat detection capabilities, customers can now proactively protect their applications and users from a wide range of cyber threats. This partnership not only simplifies security management but also empowers organizations to foster trust, safeguard their digital assets, and ensure a seamless online experience for their customers. As the threat landscape continues to evolve, this integration serves as a testament to the power of collaboration in building a more secure and resilient digital ecosystem.