Un attacco Denial of Service (DoS) è un tentativo di rendere il tuo servizio o la tua applicazione
non disponibile per gli utenti finali. Con gli attacchi Distributed Denial of Service (DDoS), gli
aggressori utilizzano più risorse (spesso un numero elevato di host/istanze compromessi)
per orchestrare attacchi su larga scala contro i target.
Se esponi le tue API esternamente, potresti essere vulnerabile agli attacchi DoS. Per mitigare questo problema,
Cloud Load Balancing include alcune protezioni integrate, tra cui:
Protezione tramite l'infrastruttura Google Front End:con Cloud Load Balancing, l'infrastruttura Google Front End termina il traffico utente e si adatta automaticamente per assorbire determinati tipi di attacchi (come i flood SYN) prima che raggiungano le istanze Compute Engine.
Bilanciamento del carico basato su anycast:Cloud Load Balancing consente a un singolo IP anycast di fungere da frontend per le istanze Apigee in tutte le regioni. Il traffico viene indirizzato al backend più vicino. In caso di attacco DDoS, GCLB aumenta la superficie per assorbire l'attacco spostando il traffico verso istanze con capacità disponibile in qualsiasi regione in cui sono implementati i backend.
Oltre a Cloud Load Balancing, puoi aggiungere Google Cloud Armor per proteggere gli endpoint API
da attacchi DoS e web. Cloud Armor offre vantaggi quali:
Controllo controllo dell'accesso basato su IP e dati geografici:filtra il traffico in entrata in base agli indirizzi IPv4 e IPv6 o agli intervalli di indirizzi (CIDR). Applica i controlli degli accessi basati sui dati geografici per accettare o rifiutare il traffico in base ai dati geografici di origine utilizzando la mappatura geoIP di Google.
Supporto per deployment ibridi e multi-cloud:difendi le applicazioni da attacchi web o di tipo DDoS e applica criteri di sicurezza di livello 7, indipendentemente dal fatto che il deployment dell'applicazione sia stato eseguito su Google Cloud oppure in un'architettura ibrida o multi-cloud.
Visibilità e monitoraggio: monitora con facilità tutte le metriche associate ai tuoi criteri di sicurezza nella dashboard di Cloud Monitoring. Puoi anche visualizzare i pattern di traffico sospetti delle applicazioni da Cloud Armor direttamente nella dashboard di Security Command Center.
Regole WAF preconfigurate:regole pronte all'uso del ModSecurity Core Rule Set per difenderti dagli attacchi di tipo cross-site scripting (XSS) e SQL injection. Le regole RFI, LFI e RCE sono disponibili in versione beta. Scopri di più nella nostra guida alle regole WAF.
Elenchi di IP denominati:consenti o nega il traffico attraverso un criterio di sicurezza di Cloud Armor basato su un elenco di IP denominati selezionato (beta).
[[["Facile da capire","easyToUnderstand","thumb-up"],["Il problema è stato risolto","solvedMyProblem","thumb-up"],["Altra","otherUp","thumb-up"]],[["Difficile da capire","hardToUnderstand","thumb-down"],["Informazioni o codice di esempio errati","incorrectInformationOrSampleCode","thumb-down"],["Mancano le informazioni o gli esempi di cui ho bisogno","missingTheInformationSamplesINeed","thumb-down"],["Problema di traduzione","translationIssue","thumb-down"],["Altra","otherDown","thumb-down"]],["Ultimo aggiornamento 2025-09-05 UTC."],[[["\u003cp\u003eThis content discusses Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks within the context of Apigee, specifically excluding Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eApigee's architecture utilizes a peering connection between a Google-managed tenant project and a customer-managed Virtual Private Cloud (VPC).\u003c/p\u003e\n"],["\u003cp\u003eCloud Load Balancing offers built-in protections against certain attacks, including using Google's frontend infrastructure and anycast-based load balancing.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud Armor can be added to protect API endpoints, offering features such as IP and geo-based access control, support for hybrid and multi-cloud deployments, and pre-configured WAF rules.\u003c/p\u003e\n"],["\u003cp\u003eFollowing the "Best Practices for DDoS Protection and Mitigation on Google Cloud Platform" is recommended to mitigate or prevent DoS attacks.\u003c/p\u003e\n"]]],[],null,["# Preventing DoS attacks\n\n*This page\napplies to **Apigee** , but not to **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nA Denial of Service (DoS) attack is an attempt to render your service or application\nunavailable to your end users. With Distributed Denial of Service (DDoS) attacks, the\nattackers use multiple resources (often a large number of compromised\nhosts/instances) to orchestrate large scale attacks against targets.\n\nThe Apigee architecture creates a peering connection between two networks: a Google-managed\ntenant project (the *Apigee* ) and a customer-managed project (the\n*Customer VPC* ). To mitigate or prevent DoS attacks on these networks, be sure to follow the\n[Best\nPractices for DDoS Protection and Mitigation on Google Cloud Platform](/static/files/GCPDDoSprotection-04122016.pdf) (PDF).\n\nIf you expose your APIs externally, you can be vulnerable to DoS attacks. To mitigate this,\nCloud Load Balancing includes some built-in protections, including:\n\n- **Protection by Google Frontend infrastructure:** With Cloud Load Balancing, the Google frontend infrastructure terminates user traffic and automatically scales to absorb certain types of attacks (such as SYN floods) before they reach your Compute Engine instances.\n- **Anycast-based Load Balancing:** Cloud Load Balancing enables a single anycast IP to front-end Apigee instances in all regions. Traffic is directed to the closest backend; in the event of a DDoS attack, GCLB increases the surface area to absorb the attack by moving traffic to instances with available capacity in any region where backends are deployed.\n\nIn addition to Cloud Load Balancing, you can add Google Cloud Armor to protect your API endpoints\nagainst DoS and web attacks. Cloud Armor provides benefits such as:\n\n- **IP-based and geo-based access control:** Filter your incoming traffic based on IPv4 and IPv6 addresses or address ranges (CIDRs). Enforce geography-based access controls to allow or deny traffic based on source geo using Google's geoIP mapping.\n- **Support for hybrid and multi-cloud deployments:** Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.\n- **Visibility and monitoring:** Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.\n- **Pre-configured WAF rules:** Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection. RFI, LFI, and RCE rules are also available in beta. Learn more in our WAF rules guide.\n- **Named IP Lists:** Allow or deny traffic through a Cloud Armor security policy based on a curated Named IP List (beta).\n\nFor more information, see [Google Cloud Armor](/armor).\n\n*[VPC]: Virtual Private Cloud"]]