Google Cloud Armor Cheat Sheet

• Help protect your applications and websites against denial of service and web attacks.
• Detect and mitigate attacks against your Cloud Load Balancing workloads.
• Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud.

Features

• Comes with predefined rules for protection against OWASP Top 10 risks.
• Easily monitor the metrics associated with your policies in the Cloud Monitoring dashboard.
• View suspicious traffic patterns on the Cloud Armor dashboard directly.
• Can be run in preview mode to understand and study ahead of the effects of the rules defined on production traffic.
• Identify and enforce access control based on the geographic location of incoming traffic and IP addresses.
• Can protect and defend on-premises applications from DDoS and web attacks.

• Adaptive Protection: ML-based system trained locally on your applications to automatically detect and help mitigate high-volume Layer 7 DDoS attacks.
• Bot management: Native integration with reCAPTCHA Enterprise to stop fraud at the edge and provide automated protection from bots.
• Rate limiting: Rate-based rules to protect applications from large volumes of requests that flood instances and block access for legitimate users.
• Advanced network DDoS protection: Always-on attack detection and mitigation for workloads using external network load balancers, protocol forwarding, and VMs with public IP addresses.
• Named IP Lists: Allow or deny traffic based on a curated list of IP addresses.
• Google Threat Intelligence: Allow or block traffic based on threat intelligence categories (requires Cloud Armor Enterprise).
• Rich rules language: Create custom rules using any combination of L3–L7 parameters and geolocation.
• Preconfigured WAF rules: Based on OWASP Core Rule Set 3.3.2 with dozens of signatures to help mitigate OWASP Top 10 risks. Can be tuned to disable noisy signatures.
• Preview mode: Deploy rules in preview mode to understand efficacy and impact before enabling active enforcement.

Cloud Armor Enterprise

• Managed application protection service with always-on DDoS protection for global external Application Load Balancers, classic Application Load Balancers, and external proxy Network Load Balancers.
• Supports HTTP, HTTPS, HTTP/2, and QUIC protocols.
• Includes access to DDoS attack visibility telemetry.
• Requires an active subscription to use Adaptive Protection.

Supported Load Balancers

You can attach Cloud Armor security policies to backend services of:

• All external Application Load Balancers (including classic)
• Regional internal Application Load Balancer
• Global external proxy Network Load Balancer (TCP/SSL)
• Classic proxy Network Load Balancer (TCP/SSL)
• External passthrough Network Load Balancer (TCP/UDP)

Pricing

Google Cloud Armor is offered in two service tiers:

• Standard tier: Charges apply for security policies and rules, including well-formed L7 requests evaluated by a security policy.
• Enterprise tier: Subscription-based pricing. Includes DDoS and WAF services, curated rule sets, and access to Adaptive Protection and attack visibility telemetry.

For current pricing details, refer to the official Google Cloud Armor pricing page.

Google Cloud Armor Cheat Sheet References:

https://cloud.google.com/armor
https://cloud.google.com/armor/docs/cloud-armor-overview