Blog Google Cloud Cloud Armor – A Complete Guide
Cloud Armor

Cloud Armor – A Complete Guide

Every organizational application needs some security policies for adding up protection aspects from potential web attacks. If you have an application running over the cloud, then it is your responsibility to look after its security to keep your data and operational efficiency safe. And for that, Google has introduced its Cloud Armor security policies! Google Cloud Armor intends to offer you protection for cloud deployments from various types of threats.

Pricing page

Some of the potential attacks or threats that are defended by the Cloud Armor are Distributed denial-of-service (DDoS), SQL injection (SQLi), and cross-site scripting (XSS). The Google Cloud Armor has also embedded some automated protection features within its policy and technology. Along with that, there are some protection policies that you need to configure and implement manually for ideal execution.

Interested in Google Cloud Certifications? Check out Whizlabs brand new online courses, practice tests, and free test here!

In this article, you will get a clear insight into the overview, working, and detailed features of Google Cloud Armor. Follow till the end to know the efficacy of this Google Cloud service before you can implement it for your applications.

Tiers Overview of Google Cloud Armor

Google Cloud Armor is offering managed protection service to cloud applications. The main role of this service is to protect the web services and apps from several web attacks of diverse intensities. Google Cloud Armor service is offered to clients in two tiers, namely, standard and managed protection plus.

The Standard tier consists of a pay-as-you-go pricing architecture. It supports the always-on feature of protection from protocol-based DDoS attacks and volumetric attacks across the global infrastructure. With Cloud Armor, you get the accessibility to Web Application Firewall (WAF) rule potential. You can also leverage the pre-configured WAF rules for protection against top web vulnerabilities.

The Managed Protection Plus tier comes with a monthly payment subscription. It consists of all the features that are available within the standard tier of Cloud Armor. Moreover, it has also bundled the use of WAF rules, HTTP(s) requests, and policies. Under this tier, you also get adaptive protection and third-party named lists of IP addresses. If you pick this tier, then you will get access to the DDoS response team services and DDoS bill protection.

Preparing for Google Cloud Certified Professional Cloud Network Engineer? Try Whizlabs Free Test today!

All of the projects or applications that are under the TCP Proxy load balancing, HTTP(S) load balancing, or SSL Proxy load balancing are enrolled to the Standard tier automatically. You need to manually subscribe to the Managed Protection Plus tier to leverage the additional features. The users have the choice to enroll in selective projects upon the Managed Protection Plus tier. To know more about Cloud Armor’s managed protection service, you can refer to this link!

Working of Google Cloud Armor

Working of Google Cloud Armor

Google Cloud Armor offers DDoS protection against the network without any breakdowns. Moreover, it is also assured protection against volumetric DDoS attacks for the services and applications. This protection feature is always online and is continuously scaling to meet the capacity of the global network of Google. With it, you can ensure that the Cloud Armor can detect the network attacks and mitigate them, to process only the eligible requests, with the help of load balancing proxies.

The backend services that are behind the external HTTP(s) load balancers can also access the security policies of Cloud Armor. It is to implement the custom Layer & filtering policies. Along with that, the backend services can also implement the pre-configured WAF rules for identifying and mitigating the top 10 vulnerability risks for a web application, as stated by OWASP. The implementation of Cloud Armor security policies will give you the ability to allow/deny access for the external HTTP(S) load balancer at the Cloud Edge.

Hence, Cloud Armor helps you prevent unwanted traffic from consuming your web resources and entering your VPC networks. You are free to use the security policies of Cloud Armor to ensure that your application security matches the current conditions. You can implement efforts in order to create WAF rules for protecting the application against common threats or attacks. DDoS attacks can do the most damage to your application, to which Google Cloud Armor intends to offer managed protections.

Google Cloud Armor Pricing

Before moving ahead with the service explanations, it is important for you to get an idea of the pricing of the Cloud Armor service. As stated above, it comes in two tiers, standard and managed protection plus. Under the standard tier, you will be charged upon the pay-as-you-go model, where you will be charged for the rules and security policies that you implement. Apart from that, the standard tier billing will also include L7 requests that are formed by the users.

The pricing for the standard tier of Cloud Armor is as follows:

  • For creating the WAF rules, you need to pay $1/month.
  • For adapting security policies, you need to pay $5/month.
  • For offering protection against the requests, you need to pay $0.75/million queries.
  • There is no data processing fee and no fixed term for this tier. You will pay as long as you go with this tier.

The Managed Protection Plus tier is a subscription-based tier, where you need to pay a monthly billing amount to avail all of the services within this tier. The pricing for Managed Protection Plus tier starts at $3000 per month. This pricing is only for the first 100 protected resources. After this mark, every additional resource will be charged $30/month. The pricing for rules, policy, and requests are included within the subscription. The data processing fee will be an additional charge for the Managed Protection Plus tier.

Google Cloud Armor Security Policies

The security policies of Cloud Armor are certain sets of rules that match upon the attributes from Layer 3-Layer 7 for protecting the applications and services that are facing externally. Each of the rules is termed to undergo evaluation as per the incoming traffic. The Cloud Armor rule of security policy comes with a match condition. This promotes the Cloud Armor to take action when the condition is met.  

The conditions can be understandable and simple, such as matching IP addresses of incoming traffic’s source to any specific entity. Similarly, the matching of the CIDR range can also be a condition to trigger Cloud Armor protection. Moreover, you get the flexibility of creating your own customized conditions. You can look after matching the conditions to different attributes upon the incoming traffic. You can impose conditions upon request methods, header values, and the URL path.

But for customizing your own conditions, you need to use Google Cloud Armor custom rules-language reference. To know more about it, you can check out this official documentation by Google Cloud.

Anytime an incoming request is a perfect match to the condition embedded within the rule of security policy, Cloud Armor allows, redirects, or denies the request. The decision given by Cloud Armor is based upon what outcome you have set for that specific rule. It can be an allow rule, deny rule or redirect rule, depending upon the specific user choices. There can be additional parameters of action, such as the insertion of the request headers. It is a collective feature of bot management aspects of Cloud Armor. If you intend to learn more about bot management, then check out this overview documentation.

Pre-Configured WAF (Web Application Firewall) Rules

Google Cloud Armor has some pre-configured rules embedded within its functionality. It is to ensure that the users do not have to spend additional time and knowledge upon creating custom ones for the basic protection of web services and applications. Therefore, leveraging upon the potential of pre-configured WAF rules will help you protect your applications & services from all types of common web attacks.

Moreover, there are OWASP stated top 10 vulnerability risks that can hamper the web apps and services. These pre-configured WAF rules are intended to prevent and stop these 10 risks on priority. Get a glimpse into the ten vulnerability risks as stated by OWASP over this article!

 These rules are meant for enabling Cloud Armor for evaluating the different traffic signatures. It is done by referring to conveniently named rules without the necessity of defining each of the signatures manually.

You can make use of these pre-configured rules for tuning the unnecessary signatures within your projects. All the incoming requests that come for the application or web service undergo evaluation on behalf of these WAF rules. If a request matches the rule, the respective command will return the value as ‘true.’ Hence, the request will be clear to process. In case you want to disable certain unnecessary signatures to prevent unwanted traffic, then you will have to provide IDs of the unwanted signatures.

Adaptive Protection of Google Cloud Armor

The adaptive protection of Google Cloud Armor puts up protection assistance for the Google Cloud applications, services, and websites. This protection is mostly against the L7 DDoS attacks that include HTTP floods, high-frequency malicious attacks, and others. The adaptive protection policy of Cloud Armor makes use of machine-learning models in order to offer protection services.

Cloud Armor adaptive protection helps in detecting any possible anomalous activity and alerts the user about it. It will then generate a signature to describe the attack or threat activity. Moreover, it will also create a custom WAF rule for blocking that signature or attack over Cloud Armor. You have the accessibility to either enable or disable the Cloud Armor Adaptive Protection feature on a per-security-policy basis.

Adaptive protection will help you out with proactive alerts about anomalous traffic and potential attacks. The signatures of those attacks will be visible to you within the event dashboard. Moreover, these event logs are further sent to Cloud Logging for further analysis of impact. In addition to that, these logs are then forwarded to the workflow of security event monitoring.

Currently, the Cloud Armor Adaptive Protection facility is under preview and is being tested further. As of now, the users of Cloud Armor seek configuration of individual policies for Adaptive Protection. But soon, Adaptive Protection will reach its general availability potential. And then, it will only be accessible by the customers who take up the Managed Protection Plus subscription tier.

You can go ahead and enroll your project under the managed subscription anytime! Explore the features, and you will get an idea of how to leverage the maximum potential of Cloud Armor.

Use Cases of Google Cloud Armor

As of now, you are well-versed with what is Google Cloud Armor and what features it has to offer. To give you a final knowledge of the potential of Cloud Armor, here are a few of the direct and common use cases for the same. It will help you understand the efficacy of this service by Google Cloud.

  • You have the potential to enable access for all of the users who have specific IP addresses, as per your list of allowance. 
  • You can prefer to block access for all of the select users who possess the specific IP addresses, as per your list of denial. 
  • With the WAF rules, you can protect your application deployments against layer attacks. 
  • You can seek a defense system for the DDoS attacks and also implement layer seven monitoring. 
  • Cloud Armor can address issues such as Local File Inclusion, Remote File Inclusion, SQL Injection, Cross-Site Scripting, and Remote Code Execution. 

Final Words

Adaptive protection is the forte of Cloud Armor. It allows you to enable automatic detection and mitigation of the highest level of DDoS attacks at Layer 7. This technology is what has made Cloud Armor earn a great reputation among organizations. Moreover, Cloud Armor is offering ideal support for multi-cloud and hybrid environments without much hassle.

You can seamlessly create your Named IP lists to put up a set of addresses to whom you want to allow or deny access to the application or web service. Hence, this much amount of control over your web app and service security will eventually help you focus more upon enhancing business processes rather than just worrying about strengthening the security. Adapt Cloud Armor services today!

About Girdharee Saran

Girdharee Saran has a glorious 13 years of experience transforming the way e-learning and SaaS start-ups approach digital marketing for their organisations. He has successfully chartered tangible results, which have proven beneficial. Working in the spaces of content marketing and SEO for a considerable amount of time, he is well conversant in his art. Having taken a deep interest in content and growth marketing, his urge to learn more is perpetual. His current role at Whizlabs as VP Marketing is about but not limited to driving SEO, conversion optimisation, marketing automation, link building and strategising result driven content.


Please enter your comment!
Please enter your name here