Cloud Armor is a great WAF option on GCP. However, due to it's hefty price tag (starting at $3k/month), it may not be for everyone.

Some alternatives include using custom appliances that come with built in WAFs. A particularly mature, low cost option is the NGINX load balancer appliance , which has a WAF module. All open source.

Other alternatives include F5 BigIP LoadBalancer - also with a WAF module (and an optional Application Policy Manager module).

Load Balancers protected by Cloud Armor

LBs are not smart enough to discern between malicious clients and real clients. Enter Cloud Armor - where specific IPs can be blocked.

IAP on the Load Balancer 

Can provide an additional defense by enabling IAP on the Load Balancer.

Internal or External WAF?

Note - WAFs can sit in front of internal or external load balancers.  SSL may be needed on the actual CDN that the WAF is integrated with (e.g. Cloudfront is part of AWS WAF - and a public SSL would need to go on Cloudfront)

Need a GCP Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.