GCP Cloud Armor and DDoS Protection
Cloud Armor is GCP's managed Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) mitigation service. It protects applications running behind the Global External Application Load Balancer by inspecting incoming requests and blocking malicious traffic before it reaches the backend. Cloud Armor works at Google's global network edge — the same infrastructure that absorbs billions of attack requests targeting Google's own services every day.
What is DDoS?
A Distributed Denial of Service (DDoS) attack floods an application with millions of fake requests from thousands of different machines. The goal is to exhaust the server's resources — CPU, memory, or bandwidth — so it cannot respond to legitimate users.
DDoS Attack:
Botnet (100,000 compromised machines)
│ Each sends 1,000 requests/second
▼
Application receives 100,000,000 requests/sec
▼
Server resources exhausted → Application goes offline
▼
Legitimate users cannot access the site ✗
With Cloud Armor:
Botnet ──▶ Google's Global Network Edge
│ Cloud Armor detects attack pattern
│ Blocks traffic at edge (never reaches backend)
▼
Backend receives only legitimate traffic ✓
Cloud Armor Security Policies
A security policy is a collection of rules that define which traffic to allow or block. Security policies are attached to backend services of a load balancer.
Security Policy: "my-app-policy" ├── Rule Priority 1000: Block IPs from known bad actors ├── Rule Priority 2000: Block requests matching SQL injection patterns ├── Rule Priority 3000: Block requests from specific countries ├── Rule Priority 4000: Rate limit per IP to 100 req/min └── Rule Priority 65535: Allow all other traffic (default allow)
Rules are evaluated from lowest priority number to highest. The first matching rule's action (allow or deny) is applied.
Creating and Configuring Cloud Armor
# Create an empty security policy gcloud compute security-policies create my-app-policy \ --description="WAF policy for my web application" # Attach the policy to a backend service gcloud compute backend-services update my-web-backend \ --security-policy=my-app-policy \ --global
Rule Examples
# Block a specific IP address gcloud compute security-policies rules create 100 \ --security-policy=my-app-policy \ --action=deny-403 \ --src-ip-ranges=203.0.113.55/32 \ --description="Block a known malicious IP" # Block an entire IP range (CIDR) gcloud compute security-policies rules create 200 \ --security-policy=my-app-policy \ --action=deny-403 \ --src-ip-ranges=203.0.113.0/24 # Allow only traffic from India (IN) and deny all others gcloud compute security-policies rules create 300 \ --security-policy=my-app-policy \ --action=allow \ --expression="origin.region_code == 'IN'" gcloud compute security-policies rules create 400 \ --security-policy=my-app-policy \ --action=deny-403 \ --expression="origin.region_code != 'IN'" # Rate limit: max 100 requests per minute per IP gcloud compute security-policies rules create 500 \ --security-policy=my-app-policy \ --action=throttle \ --src-ip-ranges=0.0.0.0/0 \ --rate-limit-threshold-count=100 \ --rate-limit-threshold-interval-sec=60 \ --conform-action=allow \ --exceed-action=deny-429
Pre-Configured WAF Rules
Cloud Armor includes pre-configured rule sets based on the OWASP (Open Web Application Security Project) Top 10. These rules detect and block the most common web application attacks without writing custom expressions.
| Rule Set | Attacks Blocked |
|---|---|
| sqli-v33-stable | SQL Injection — malicious SQL code in requests |
| xss-v33-stable | Cross-Site Scripting — injecting malicious JavaScript |
| lfi-v33-stable | Local File Inclusion — accessing server files |
| rfi-v33-stable | Remote File Inclusion — loading malicious remote files |
| rce-v33-stable | Remote Code Execution — running arbitrary commands |
| scannerdetection-v33-stable | Vulnerability scanner detection |
# Enable OWASP SQL injection protection
gcloud compute security-policies rules create 1000 \
--security-policy=my-app-policy \
--action=deny-403 \
--expression="evaluatePreconfiguredExpr('sqli-v33-stable')"
# Enable XSS protection
gcloud compute security-policies rules create 1100 \
--security-policy=my-app-policy \
--action=deny-403 \
--expression="evaluatePreconfiguredExpr('xss-v33-stable')"
Custom Match Expressions
Cloud Armor uses a Common Expression Language (CEL) for custom rules. These rules match on request headers, URL paths, query parameters, and geo-location.
# Block requests with a specific User-Agent (common for bots)
gcloud compute security-policies rules create 600 \
--security-policy=my-app-policy \
--action=deny-403 \
--expression="request.headers['user-agent'].contains('curl')"
# Block requests to a specific path from outside a CIDR range
gcloud compute security-policies rules create 700 \
--security-policy=my-app-policy \
--action=deny-403 \
--expression="request.path.startsWith('/admin') && !inIpRange(origin.ip, '10.0.0.0/8')"
# Block requests without a specific header (e.g., internal API key header)
gcloud compute security-policies rules create 800 \
--security-policy=my-app-policy \
--action=deny-403 \
--expression="!request.headers.exists(h, h == 'x-internal-key')"
Adaptive Protection
Cloud Armor Adaptive Protection uses machine learning to analyze traffic patterns and automatically detect volumetric DDoS attacks. When an attack is detected, it suggests custom rules that can be deployed with one click to mitigate the attack in real time.
Adaptive Protection Flow:
Normal traffic baseline established
│
│ Attack begins: 10x traffic spike from unusual IPs
▼
Adaptive Protection ML model detects anomaly
│
▼
Alert generated: "Possible DDoS attack detected. Suggested rule:"
│
▼
Suggested rule: Block src-ip-ranges=X.X.X.0/24 (confidence: 94%)
│
▼
Operator clicks "Deploy Rule" → Attack mitigated within seconds
# Enable Adaptive Protection on a security policy gcloud compute security-policies update my-app-policy \ --enable-layer7-ddos-defense
Monitoring Cloud Armor
Cloud Armor provides detailed metrics in Cloud Monitoring and request logs in Cloud Logging.
Useful Cloud Armor metrics:
├── networksecurity.googleapis.com/https/request_count
│ (Requests allowed vs denied by rule)
└── networksecurity.googleapis.com/https/rule_evaluation_count
(Number of rule evaluations per second)
Cloud Logging filter to see blocked requests:
jsonPayload.enforcedSecurityPolicy.outcome="DENY"
Cloud Armor Tiers
| Tier | Features | Pricing |
|---|---|---|
| Standard | Basic DDoS, IP allow/deny, geo-based rules | Free (included with Global LB) |
| Cloud Armor Enterprise (formerly Plus) | OWASP WAF rules, Adaptive Protection, advanced DDoS response | $3,000/month per project + request fees |
Key Takeaways
- Cloud Armor protects applications at Google's global network edge — blocking attacks before they reach backend servers.
- Security policies contain ordered rules that allow, deny, or throttle traffic based on IP, geo-location, or request attributes.
- Lower priority numbers are evaluated first — the first matching rule wins.
- Pre-configured OWASP rule sets instantly protect against SQL injection, XSS, and other common attacks.
- Custom CEL expressions enable fine-grained rules based on headers, URL paths, and request parameters.
- Adaptive Protection uses ML to detect volumetric DDoS attacks and suggest mitigation rules automatically.