Google Cloud Armor helps you protect your Google Cloud deployments frommultiple types of threats, including distributed denial-of-service (DDoS)attacks and application attacks like cross-site scripting (XSS) and SQLinjection (SQLi). Google Cloud Armor featuressome automatic protections and some that you need to configure manually.This document provides a high-level overview of these features, several of whichare only available for global external Application Load Balancers and classic Application Load Balancers.
Security policies
Use Google Cloud Armor security policies to protect applications running behinda load balancer from distributed denial-of-service (DDoS) and other web-basedattacks, whether the applications are deployed on Google Cloud, in a hybriddeployment, or in a multi-cloud architecture. Security policies can be configuredmanually, with configurable match conditions and actions in a security policy.Google Cloud Armor also features preconfigured security policies, which covera variety of use cases. For more information, seeGoogle Cloud Armor security policy overview.
Rules language
Google Cloud Armor enables you to define prioritized rules with configurablematch conditions and actions in a security policy. A rule takes effect, meaningthat the configured action is applied, if the rule is the highest priority rulewhose attributes match the attributes of the incoming request.For more information, seeGoogle Cloud Armor custom rules language reference.
Preconfigured WAF rules
Google Cloud Armor preconfigured WAF rules are complex web application firewall (WAF)rules with dozens of signatures that are compiled from open source industrystandards. Each signature corresponds to an attack detectionrule in the rule set. Google offers these rules as-is. The rules allowGoogle Cloud Armor to evaluate dozens of distinct traffic signatures byreferring to conveniently named rules, rather than requiring you to defineeach signature manually.
Google Cloud Armor preconfigured rules help protect your web applicationsand services from common attacks from the internet and help mitigate theOWASP Top 10 risks.The rule source isModSecurity Core Rule Set 3.3.2 (CRS).
These preconfigured rules can be tuned to disable noisy or otherwise unnecessarysignatures. For more information, seeTuning Google Cloud Armor WAF rules.
Google Cloud Armor Enterprise
Cloud Armor Enterprise is the managed application protection service that helpsprotect your web applications and services from distributed denial-of-service(DDoS) attacks and other threats from the internet. Cloud Armor Enterprisefeatures always-on protections for your load balancer, and gives you access toWAF rules.
DDoS protection is automatically provided for global external Application Load Balancers,classic Application Load Balancers, and external proxy Network Load Balancers, regardless oftier. The HTTP, HTTPS, HTTP/2, and QUIC protocols are all supported. In addition,Cloud Armor Enterprise subscribers canAccess DDoS attack visibility telemetry.
For more information, seeCloud Armor Enterprise overview.
Threat Intelligence
Google Cloud Armor Threat Intelligence lets you secure yourtraffic by allowing or blocking traffic to your global external Application Load Balancers andclassic Application Load Balancers based on several categories of threat intelligence data.For more information about Threat Intelligence, seeConfiguring Threat Intelligence features.
Google Cloud Armor Adaptive Protection
Adaptive Protection helps you protect your applications and services from L7distributed denial-of-service (DDoS) attacks by analyzing patterns of traffic toyour backend services, detecting and alerting on suspected attacks, andgenerating suggested WAF rules to mitigate such attacks. These rules can betuned to meet your needs. Adaptive Protection can be enabled on a per-security policy basis, but it requires an active Cloud Armor Enterprisesubscription in the project.
For more information, seeGoogle Cloud Armor Adaptive Protection overview.
Advanced network DDoS protection
Advanced network DDoS protection provides additional protections forManaged Protection Plus subscribers who use network load balancers,protocol forwarding, or VMs with public IP addresses. Advanced network DDoS protectionprovides always-on attack monitoring and alerting, targeted attack mitigations,and mitigation telemetry. For more information, seeConfigure advanced network DDoS protection.
How Google Cloud Armor works
Google Cloud Armor provides always-on DDoS protection against network orprotocol-based volumetric DDoS attacks. This protection is for applications orservices behind load balancers. It is able to detect and mitigatenetwork attacks in order to allow only well-formed requests through the loadbalancing proxies. The security policies enforce custom Layer 7filtering policies, including pre-configured WAF rules that mitigate OWASP top 10 web application vulnerability risks. You can attach security policies to the backend services of the following load balancers:
- Global external Application Load Balancer
- Regional external Application Load Balancer
- Classic Application Load Balancer
- External proxy Network Load Balancer
- External passthrough Network Load Balancer
Google Cloud Armor security policies enable you to allow or deny access toyour deployment at the Google Cloud edge, as close as possible tothe source of incoming traffic. This prevents unwelcome traffic from consumingresources or entering your Virtual Private Cloud (VPC) networks.
The following diagram illustrates the location of the global external Application Load Balancers,classic Application Load Balancers, the Google network, and Google data centers.
You can use some or all of these features to protect your application. You canuse security policies to match against known conditions, create WAF rules toprotect against common attacks like those found in the ModSecurity Core RuleSet 3.3.2,and use Google Cloud Armor Enterprise's built-in protections against DDoS attacks.
What's next
- Examine common use cases for Google Cloud Armor
- Learn about Google Cloud Armor Enterprise
- Learn about Google Cloud Armor Adaptive Protection
