Cloud Armor

Protecting Web Apps using Cloud Armor

Cloud Armor is an enterprise-grade DDoS service and web application firewall (WAF) designed to protect your web applications from denial-of-service and other web attacks. Cloud Armor protects web apps deployed on GCP, on-prem, or other third-party cloud providers. It leverages Google’s extensive experience in protecting their key services such as Google Search, YouTube, and Gmail, to deliver inbuilt defense against L3 and L4 DDoS attacks at the Google scale. It has also been equipped to mitigate against OWASP’s top 10 risks. It is seamlessly integrated with the global load balancing infrastructure, and it offers top-notch security for Cloud CDN-enabled workloads. How exactly does this service protect your web apps? 

Cloud Armor has no fixed procedure for handling threats. It has a machine learning system, which you train on your HTTP-fronted web apps to automatically detect and combat high volume L7 DDoS attacks. In this way, Cloud Armor’s protection is adaptive. For common web app vulnerabilities and OWASP’s top 10 risks, Cloud Armor has pre-configured WAF rules to protect your applications. This service is also integrated with the reCAPTCHA enterprise to provide automated protection against bots. 

You can also filter incoming requests by geography. This service will also grant you access to real-time telemetry in form of logs, sent directly to cloud logging. These contain Cloud Armor’s decisions per request basis. 

Cloud Armor for Cloud CDN

Cloud Armor for Cloud CDN initiates protection from the origin server level. Backend services with Cloud CDN enabled can be protected by Cloud Armor. Cloud CDN plays an important role in catching data at the edge of Google’s network to avail content to users quickly and at a cheaper serving cost. This means that Cloud CDN will handle serving requests for web apps’ static content during an attack, but for dynamic content, requests have to go to the origin server. To prevent unwelcomed requests from overwhelming the origin server’s resources, you need a WAF service coupled with L7 filtering policies to minimize risk and prevent DDoS. 

This is where Cloud Armor comes in, you can configure its security policies to protect backend services with Cloud CDN enabled. These policies will be enforced for every request destined to the origin server, including static content that misses the cache. It can inspect and filter requests after SSL termination. All of this can be enabled in your Google Cloud Load Balancing configuration. 

As a large enterprise, it is impossible to have all your web apps on a single public cloud or VPC. It is common to have services spread across multiple clouds. In addition, some services bear local data processing, data sovereignty, and regional compliance needs, which prevent them from completely moving to the cloud. Despite having services in a hybrid cloud and multiple clouds, security needs to be consistent across all deployments.

You can now leverage the capabilities of Cloud Armor to defend and maintain the availability of all your deployments anywhere provided they are accessible over the public internet. Just like Cloud Armor for CDN, this is also configurable on the Google Cloud Load Balancing backend. You can now safely deploy web apps on-prem, on the cloud, and hybrid cloud.

Previous
Previous

Anthos Service Mesh

Next
Next

Google Distributed Cloud