Cloud Armor and other WAF Options on GCP

Edge Security  Use Case

Sample Use Case - Allow only external traffic proxied through the global external Application Load Balancer (with an associated security policy) to reach the backend instances.

Google Cloud Armor security policies protect your application by providing Layer 7 filtering and by scrubbing incoming requests for common web attacks or other Layer 7 attributes to potentially block traffic before it reaches your load-balanced backend services or backend buckets.

Alternatives to Cloud Armor

Cloud Armor is a great WAF option on GCP. However, due to it's hefty price tag (starting at $3k/month), it may not be for everyone.

Some alternatives include using custom appliances that come with built in WAFs. A particularly mature, low cost option is the NGINX load balancer appliance , which has a WAF module. All open source.

Other alternatives include F5 BigIP LoadBalancer - also with a WAF module (and an optional Application Policy Manager module).

Load Balancers protected by Cloud Armor

LBs are not smart enough to discern between malicious clients and real clients. Enter Cloud Armor - where specific IPs can be blocked.

Can you use IAP on the Load Balancer ?

Yes - IAP  can provide an additional defense by enabling IAP on the Load Balancer.

How do you troubleshoot cloud armor?

Enable request logging. And on the load balancer, enable logging and forward the logs to any sink.

Cloud Armor - Types of Endpoints Supported

Google Cloud Armor security policies are available for the following load balancer and endpoint types:

• Global external Application Load Balancer (HTTP/HTTPS)
• Classic Application Load Balancer (HTTP/HTTPS)
• Regional external Application Load Balancer (HTTP/HTTPS)
• Classic proxy Network Load Balancer (TCP/SSL)
• External passthrough Network Load Balancer (TCP/UDP)
• Protocol forwarding
• VMs with public IP addresses

Types of Backends Supported

The backends to the backend service can be any of the following:

• Instance groups
• Zonal network endpoint groups (NEGs)
• Serverless NEGs: One or more App Engine, Cloud Run, or Cloud Functions services
• Internet NEGs for external backends
• Buckets in Cloud Storage

Internal or External WAF?

Note - WAFs can sit in front of internal or external load balancers.  SSL may be needed on the actual CDN that the WAF is integrated with (e.g. Cloudfront is part of AWS WAF - and a public SSL would need to go on Cloudfront)

Need a GCP Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.