examlab .net The most efficient path to the most valuable certifications.
Support
In this note ≈ 18 min

Cloud Armor: WAF and DDoS Protection

3,500 words · ≈ 18 min read ·

Master Google Cloud Armor for web application security. Learn to mitigate OWASP Top 10 risks, implement bot management, and leverage ML-based Adaptive Protection for PSE-level defense.

Do 20 practice questions → Free · No signup · PSE

Introduction to Cloud Armor

In the modern threat landscape, Layer 3 and Layer 4 firewalls are not enough to protect web applications from sophisticated attacks. Google Cloud Armor is an enterprise-grade Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) protection service that leverages the same infrastructure Google uses to protect Search, Gmail, and YouTube.

For a Professional Cloud Security Engineer (PSE), Cloud Armor is the primary shield for internet-facing applications. It provides deep inspection of HTTP(S) traffic, mitigates OWASP Top 10 risks (like SQLi and XSS), and uses machine learning to detect and block volumetric attacks before they reach your backend services.

白話文解釋(Plain English Explanation)

1. The Supercharged Security Scanner (WAF)

VPC Firewalls are like checking IDs at the gate. Cloud Armor is like a High-Tech X-ray Scanner at an airport. It doesn't just look at the ID (IP address); it looks inside the suitcases (HTTP payloads) to find hidden weapons (SQL injection strings or malicious scripts) that a simple gate check would miss.

2. The Flood Gate (DDoS Protection)

Imagine a massive wave (DDoS attack) hitting a small island. Without protection, the island is submerged. Cloud Armor acts as a Gigantic Sea Wall (Google's Global Edge) that absorbs the impact of the wave. Even if the wave is millions of requests per second, the sea wall is built to handle it, keeping the inland villages (your backend VMs) dry and safe.

3. The Intelligent Doorman (Adaptive Protection)

Think of a doorman who learns. On a normal day, they know what typical guests look like. If suddenly a thousand people wearing the same weird hat try to enter at once, the doorman notices the anomaly (Adaptive Protection) and blocks them, even if they aren't on a "banned list" yet.

OWASP Top 10 Mitigation with Preconfigured Rules

Cloud Armor provides Preconfigured WAF Rules that are easy to enable and cover common attack vectors.

  • SQL Injection (SQLi): Prevents attackers from executing malicious SQL statements.
  • Cross-Site Scripting (XSS): Blocks scripts that attempt to hijack user sessions.
  • Local File Inclusion (LFI): Prevents access to sensitive files on the server.
  • Remote Code Execution (RCE): Blocks attempts to run unauthorized commands.

Cloud Armor Security Policies are sets of rules that define how traffic should be handled (Allow, Deny, Rate Limit) based on IP, geography, or the content of the request.

L7 Security Policies and Bot Management

Cloud Armor operates at Layer 7 (Application Layer), meaning it understands URLs, headers, and cookies.

Bot Management

Not all bots are bad (e.g., Googlebot), but many are (e.g., scrapers, credential stuffers).

  • reCAPTCHA Enterprise Integration: Cloud Armor can trigger a reCAPTCHA challenge. If the user fails, the request is blocked at the edge.
  • Bot Detection: Identifies and blocks automated traffic using behavioral analysis and known bot signatures.

IP Allow/Deny Lists and Geo-Blocking

Sometimes you want to block traffic from an entire country or only allow traffic from your partner's specific IP range.

  • IP Rules: origin.ip == '1.2.3.4'
  • Geo-Blocking: origin.region_code == 'CN' or origin.region_code != 'US'.

Cloud Armor rules are applied at the Global Edge, which means malicious traffic is dropped far away from your VPC, saving you bandwidth and compute costs.

Managed Protection Plus

Cloud Armor offers two tiers: Standard and Managed Protection Plus.

Managed Protection Plus Features:

  • DDoS Response Team (DRT): 24/7 access to Google's security experts during an attack.
  • Predictable Pricing: Protection against "bill shock" caused by massive DDoS attacks (bill credits for egress costs).
  • Advanced Bot Management: More granular control over automated traffic.

PSE scenarios that mention "mission-critical app", "DDoS bill shock protection", or "24/7 DRT access during an attack" expect Managed Protection Plus, not the Standard tier. Standard ships preconfigured WAF rules and basic L3/L4 DDoS, but only Plus gives you egress bill credits, Adaptive Protection telemetry across all backend services, and a direct line to the Google DDoS Response Team.

Adaptive Protection for ML-Based Anomaly Detection

Adaptive Protection uses Machine Learning to protect your applications from sophisticated Layer 7 DDoS attacks.

  1. Learns Baseline: It monitors normal traffic patterns to your backend services.
  2. Detects Anomalies: It identifies a sudden spike in traffic that looks like an attack.
  3. Proposes Rules: It automatically generates a WAF rule and alerts you.
  4. One-Click Mitigation: You can apply the proposed rule with a single click to block the attack.

Securing Backend Services with Load Balancers

Cloud Armor is attached to Global External HTTP(S) Load Balancers or Network Load Balancers.

Workflow:

Traffic → Global Edge (Cloud Armor) → GCLB → Backend Service (Instance Group/Cloud Run/GKE).

For GKE users, you can manage Cloud Armor policies using BackendConfig CRDs, allowing you to define security rules directly in your Kubernetes manifests.

Custom Rules and CEL Expressions

For unique security needs, you can write custom rules using Common Expression Language (CEL).

Examples:

  • Block specific User-Agent: request.headers['user-agent'].contains('BadBot')
  • Allow only specific Cookie: has(request.headers['cookie']) && request.headers['cookie'].contains('auth_token')
  • Rate limit by IP: request.path.matches('/login') with a rate limit of 10 requests per minute.

Cloud Armor Edge Security Policies

While standard policies apply to backend services, Edge Security Policies apply to Cloud Storage (GCS) buckets or Cloud CDN content.

  • Use this to prevent unauthorized access to your static assets or cached data.

Rate Limiting and Throttling

To prevent "Brute Force" or "Inventory Hoarding" attacks, use Rate Limiting.

  • Throttle: Slow down the request rate (e.g., allow 10 requests per second, delay others).
  • Rate-based Ban: If a user exceeds a threshold, ban them for 5 minutes.

Cloud Armor preconfigured WAF rule IDs are versioned and exam-testable: enable SQLi with evaluatePreconfiguredExpr('sqli-v33-stable') and XSS with xss-v33-stable, both attached via gcloud compute security-policies rules create with an --action=deny-403. Edge Security Policies are the only policy type that attaches to Cloud CDN and Cloud Storage backend buckets — standard (backend) security policies cannot.

Be careful with Rate Limiting for users behind a NAT IP. A single IP might represent hundreds of legitimate users (e.g., an office). Use cookies or other headers to identify unique users when possible.

Integration with reCAPTCHA Enterprise

Cloud Armor can seamlessly redirect suspicious traffic to a reCAPTCHA challenge.

  1. User makes a request.
  2. Cloud Armor detects "Bot-like" behavior.
  3. Cloud Armor serves a reCAPTCHA page.
  4. Only if the user passes the challenge is the request forwarded to the backend.

CLI Commands for Cloud Armor

Creating a Security Policy

gcloud compute security-policies create my-waf-policy \
    --description="Basic WAF with SQLi protection"

Adding a SQLi Rule

gcloud compute security-policies rules create 1000 \
    --security-policy=my-waf-policy \
    --expression="evaluatePreconfiguredExpr('sqli-v33-stable')" \
    --action=deny-403

Attaching to a Backend Service

gcloud compute backend-services update my-backend \
    --security-policy=my-waf-policy \
    --global

Security Best Practices for PSE

  1. Defense in Depth: Use Cloud Armor at the edge and VPC Firewalls at the VM level.
  2. Preview Mode: Always use PREVIEW mode for new rules to see if they block legitimate traffic before switching to ENFORCE.
  3. Enable Logging: Enable logging for your security policies to analyze blocked attacks in Cloud Logging.
  4. Use Managed Protection Plus: For mission-critical applications to get DDoS cost protection and DRT support.
  5. Restrict Backend IPs: Configure your backend VMs to only allow traffic from the Load Balancer IP ranges to prevent attackers from bypassing Cloud Armor.

Troubleshooting Scenarios

Scenario: Legitimate users are getting 403 Forbidden errors

Diagnosis: One of your WAF rules is too broad (False Positive). Check Cloud Logging to see which rule ID is triggering the denial. Fix: Put the rule in PREVIEW mode, refine the expression (perhaps add an exception for a specific URL), and then re-enforce.

Scenario: App is under a massive DDoS attack and backend is failing

Diagnosis: The attack is volumetric. Check if Adaptive Protection has proposed a rule. Fix: Apply the proposed Adaptive Protection rule and contact the Google DDoS Response Team (if on Managed Protection Plus).

PSE Exam Scenarios

Scenario 1: OWASP Compliance

"A company needs to ensure their web app is protected against SQL Injection and Cross-Site Scripting. What is the most efficient way to implement this in Google Cloud?" Answer: Create a Cloud Armor security policy and enable the preconfigured rules for sqli-v33-stable and xss-v33-stable.

Scenario 2: Global Traffic Control

"An application should only be accessible to users in Japan and Australia. Requests from all other countries should be blocked. Where should this be enforced?" Answer: In a Cloud Armor Security Policy using a geo-location rule: origin.region_code != 'JP' && origin.region_code != 'AU' with a DENY action.

Summary Checklist

  • List at least three OWASP Top 10 risks mitigated by Cloud Armor.
  • Explain the difference between Standard and Managed Protection Plus tiers.
  • Describe the purpose of "Preview Mode" in security policies.
  • Understand how Adaptive Protection uses ML to detect attacks.
  • Explain how Cloud Armor integrates with Global External Load Balancers.

Official sources

More PSE topics