Google Cloud Armor
A security service that protects cloud deployments from DDoS attacks and web-based threats.
| Category | Network Security |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing varies based on usage and configuration. |
| Target Audience | Organizations looking to secure their cloud deployments against DDoS and web-based threats. |
Google Cloud Armor is designed to protect cloud deployments from distributed denial-of-service (DDoS) attacks and other web-based threats. The technical architecture of Cloud Armor is tightly integrated with Google Cloud's load balancing infrastructure, including global external Application Load Balancers, classic Application Load Balancers, and external proxy Network Load Balancers.
Cloud Armor employs a multi-layered approach to security, starting with built-in DDoS protection that defends against volumetric network and protocol attacks. It utilizes machine learning-based Adaptive Protection to detect and mitigate high-volume Layer 7 DDoS attacks, and it includes preconfigured Web Application Firewall (WAF) rules based on industry standards like the ModSecurity Core Rule Set 3.3.2 to mitigate OWASP Top 10 risks such as cross-site scripting (XSS) and SQL injection (SQLi).
Operationally, Cloud Armor security policies can be configured to match against known conditions, allowing for custom Layer 7 filtering. These policies can be applied at various levels of granularity to multiple workloads, including those in hybrid or multi-cloud deployments. The service also supports IP-based and geo-based access control, enabling the filtering of incoming traffic based on IPv4 and IPv6 addresses or geographic locations.
Key operational considerations include the need to attach Cloud Armor policies to load balancers, as direct attachment to VM instances is not currently supported. Additionally, the use of preview mode allows for testing of security rules before they are enforced, helping to avoid unintended traffic blockage. Logging and monitoring capabilities through Cloud Logging and Cloud Monitoring provide visibility into Cloud Armor decisions and implicated policies, aiding in the fine-tuning of security configurations.
Technically, Cloud Armor supports protocols such as HTTP, HTTPS, HTTP/2, and QUIC, and it integrates with reCAPTCHA Enterprise for bot management. The service offers rate-based rules to protect against large volumes of requests that could flood instances and block legitimate users. However, managing these rules requires careful balancing to avoid overly restrictive policies that might block legitimate traffic.