I couldn't find a clear question or answer, although GCP Load Balancer: cannot delete "match all" under "Host and path rules" and Can I make Apache drop a connection when matching a URL? are close, so maybe it's a stupid question . I have read https://cloud.google.com/load-balancing/docs/url-map.
Say I have a rule for domain1.com => URL redirect, another rule domain2.com => static backend bucket, but I want requests that come in with a Host: for a domain I have not mapped, including no Host: or Host: of the IP of the load balancer, to just get dropped - no response.
Right now a lot of connections are coming in from China/Russia attempting to penetrate vulnerabilities. Rather than me paying egress for 200/403/404, I'd rather just drop the connection entirely, and not respond at all.
So far it appears that I have to configure a backend service/bucket for the non-matching host/path rule. If it's a bucket, it will serve a 200 OK at bucket root if allUsers has general read object access (regardless of if I set or have an index file), unless I remove list permissions to allUsers then it will 403 with a default GCS XML response. Of course, I can make it 404 on all other paths, and I can make the index and 404 pages very tiny, like an empty file, and I would have Cloud CDN enabled. However, I'd much prefer to not respond and drop instead.
Is that possible with GCP Load Balancer?
Could I just redirect to .. google.com or something like that? I'd still pay, but at least there would be no 'body' part to the response.
Alternatively, assuming I have to have a backend service, what's the easiest and cheapest way to set up a backend service that just drops/denies connections? I'm aware the cost for the service that drops connections may exceed the cost of the egress, I'll have to work that out.
