Serangan Denial of Service (DoS) adalah upaya untuk membuat layanan atau aplikasi Anda tidak tersedia bagi pengguna akhir Anda. Dalam serangan Distributed Denial of Service (DDoS), penyerang menggunakan beberapa resource (sering kali sejumlah besar host/instance yang disusupi) untuk mengatur serangan skala besar terhadap target.
Arsitektur Apigee membuat koneksi peering antara dua jaringan: project tenant yang dikelola Google (VPC Apigee) dan project yang dikelola pelanggan (VPC Pelanggan). Untuk memitigasi atau mencegah serangan DoS di jaringan ini, pastikan untuk mengikuti
Praktik Terbaik untuk Perlindungan DDoS dan Mitigasi di Google Cloud Platform (PDF).
Jika mengekspos API secara eksternal, Anda dapat rentan terhadap serangan DoS. Untuk memitigasi hal ini, Cloud Load Balancing menyertakan beberapa perlindungan bawaan, termasuk:
Perlindungan oleh infrastruktur Frontend Google: Dengan Cloud Load
Balancing, infrastruktur frontend Google menghentikan traffic pengguna dan otomatis menskalakan untuk
menyerap jenis serangan tertentu (seperti serangan bertubi-tubi menggunakan SYN) sebelum mencapai instance
Compute Engine Anda.
Load Balancing berbasis Anycast: Cloud Load Balancing memungkinkan satu IP anycast
menjadi frontend
instance Apigee di semua region. Traffic diarahkan ke backend terdekat; jika terjadi serangan DDoS, GCLB akan memperluas area permukaan untuk meredam serangan dengan memindahkan traffic ke instance yang memiliki kapasitas yang tersedia di region tempat backend di-deploy.
Selain Cloud Load Balancing, Anda dapat menambahkan Google Cloud Armor untuk melindungi endpoint API Anda dari serangan DoS dan web. Cloud Armor memberikan manfaat seperti:
Kontrol akses berbasis IP dan posisi geografis: Memfilter traffic masuk berdasarkan
alamat dan rentang alamat IPv4 dan IPv6 (CIDR). Terapkan kontrol akses berbasis geografi untuk
mengizinkan atau menolak traffic berdasarkan geografi sumber menggunakan pemetaan geoIP Google.
Dukungan untuk deployment hybrid dan multi-cloud: Membantu melindungi aplikasi dari serangan web atau DDoS dan menerapkan kebijakan keamanan Lapisan 7, baik saat aplikasi Anda di-deploy di Google Cloud maupun dalam arsitektur hybrid atau multi-cloud.
Visibilitas dan pemantauan: Pantau semua metrik yang terkait dengan kebijakan keamanan Anda dengan mudah di dasbor Cloud Monitoring. Anda juga dapat melihat pola traffic aplikasi yang mencurigakan dari Cloud Armor secara langsung di dasbor Security Command Center.
Aturan WAF yang telah dikonfigurasi sebelumnya: Aturan siap pakai dari ModSecurity Core Rule Set untuk membantu memberikan pertahanan terhadap serangan seperti pembuatan skrip lintas situs (XSS) dan injeksi SQL. Aturan RFI, LFI, dan RCE juga tersedia dalam versi beta. Pelajari lebih lanjut di panduan aturan WAF kami.
Daftar IP Bernama: Izinkan atau tolak traffic melalui kebijakan keamanan Cloud Armor
berdasarkan Daftar IP Bernama yang terseleksi (beta).
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-05 UTC."],[[["\u003cp\u003eThis content discusses Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks within the context of Apigee, specifically excluding Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eApigee's architecture utilizes a peering connection between a Google-managed tenant project and a customer-managed Virtual Private Cloud (VPC).\u003c/p\u003e\n"],["\u003cp\u003eCloud Load Balancing offers built-in protections against certain attacks, including using Google's frontend infrastructure and anycast-based load balancing.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud Armor can be added to protect API endpoints, offering features such as IP and geo-based access control, support for hybrid and multi-cloud deployments, and pre-configured WAF rules.\u003c/p\u003e\n"],["\u003cp\u003eFollowing the "Best Practices for DDoS Protection and Mitigation on Google Cloud Platform" is recommended to mitigate or prevent DoS attacks.\u003c/p\u003e\n"]]],[],null,["# Preventing DoS attacks\n\n*This page\napplies to **Apigee** , but not to **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nA Denial of Service (DoS) attack is an attempt to render your service or application\nunavailable to your end users. With Distributed Denial of Service (DDoS) attacks, the\nattackers use multiple resources (often a large number of compromised\nhosts/instances) to orchestrate large scale attacks against targets.\n\nThe Apigee architecture creates a peering connection between two networks: a Google-managed\ntenant project (the *Apigee* ) and a customer-managed project (the\n*Customer VPC* ). To mitigate or prevent DoS attacks on these networks, be sure to follow the\n[Best\nPractices for DDoS Protection and Mitigation on Google Cloud Platform](/static/files/GCPDDoSprotection-04122016.pdf) (PDF).\n\nIf you expose your APIs externally, you can be vulnerable to DoS attacks. To mitigate this,\nCloud Load Balancing includes some built-in protections, including:\n\n- **Protection by Google Frontend infrastructure:** With Cloud Load Balancing, the Google frontend infrastructure terminates user traffic and automatically scales to absorb certain types of attacks (such as SYN floods) before they reach your Compute Engine instances.\n- **Anycast-based Load Balancing:** Cloud Load Balancing enables a single anycast IP to front-end Apigee instances in all regions. Traffic is directed to the closest backend; in the event of a DDoS attack, GCLB increases the surface area to absorb the attack by moving traffic to instances with available capacity in any region where backends are deployed.\n\nIn addition to Cloud Load Balancing, you can add Google Cloud Armor to protect your API endpoints\nagainst DoS and web attacks. Cloud Armor provides benefits such as:\n\n- **IP-based and geo-based access control:** Filter your incoming traffic based on IPv4 and IPv6 addresses or address ranges (CIDRs). Enforce geography-based access controls to allow or deny traffic based on source geo using Google's geoIP mapping.\n- **Support for hybrid and multi-cloud deployments:** Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.\n- **Visibility and monitoring:** Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.\n- **Pre-configured WAF rules:** Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection. RFI, LFI, and RCE rules are also available in beta. Learn more in our WAF rules guide.\n- **Named IP Lists:** Allow or deny traffic through a Cloud Armor security policy based on a curated Named IP List (beta).\n\nFor more information, see [Google Cloud Armor](/armor).\n\n*[VPC]: Virtual Private Cloud"]]