Additional WebSite Protection using Google's Cloud Armor

Load Balancers in front of your web app are common in most IaaS or PaaS cloud deployments.

However, load balancers by themselves cannot distinguish between the types of clients allowed in.

From the VPC Flow Logs, one can detect IP addresses that are making multiple requests - and also the content of the requests. This can help identify any malicious IPs that may need to be BLOCKED.

To Block specific IP addresses (or ranges) from even accessing the load balancer, one would create a DENY POLICY in Cloud Armor. The policy needs a TARGET to apply to -

  1. Networking --> Cloud Armor
  2. For Type, select Load balancer backend service (whatever you have named the LB service).
  3. For Target, select http-backend (or whatever you have named the http backend).
  4. Click Create policy.

I would like to bring a custom domain

You will need an HTTPs load balancer. Configure your custom domain on the LB. Configure your backend.

How do I configure a HTTPS LB backend that is Serverless or Cloud functions backend

gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --iap=enabled,oauth2-client-id=ID,oauth2-client-secret=SECRET \
    --global

What if I have multiple cloud functions?
URL Mapping from the LB to each cloud function is possible.

What if I need a custom domain for my cloud functions?

Currently, the only way to map a custom domain to your HTTP/S triggered Cloud Functions is by using Firebase Hosting.

What if I want to control access to the LB?

  • Security Tip 1 - Enable Cloud Armor on the Https LB
  • Security Tip 2 - Set up IAP to control who gets to access the LB (and the functions behind)

Why use Google Cloud Armor?

  • Benefit from DDoS protection and WAF at Google scale
  • Detect and mitigate attacks against your Cloud Load Balancing workloads
  • Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud

Cloud Armor Pricing

This document explains Google Cloud Armor and Google Cloud Armor Managed Protection pricing details. This pricing is active, with the exception of the data processing fee, which becomes active at General Availability.

Standard Tier Plus Tier
Billing model Pay as you go Subscription
Subscription price N/A $3,000/month (includes up to 100 protected resources)
Protected resources N/A $30/protected resource per month after initial 100
  • WAF HTTP requests
  • WAF security policies
  • WAF rules
  • $0.75 per million requests
  • $5 per policy per month
  • $1 per rule per month
 All included
Data processing fee None Yes; see the following section.
Time commitment None One year

Need a GCP Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.