A distributed denial-of-service (DDoS) attack is a deliberate attempt by a hostile actor to disrupt operations of publicly exposed sites, systems, and APIs, with the goal of degrading the experience of legitimate users. For workloads using External TCP/UDP network load balancer (network load balancing), protocol forwarding, or VMs with public IP addresses, Google Cloud Armor offers the following options to help protect systems against DDoS attacks:
- Standard network DDoS protection: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
- Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses. For more information about Managed Protection, see the Managed Protection overview.
This document explains the difference between standard and advanced network DDoS protection, how advanced network DDoS protection works, and how to enable advanced network DDoS protection.
Compare standard and advanced network DDoS protection
Use the following table to compare standard and advanced network DDoS protection features.
Feature | Standard network DDoS protection | Advanced network DDoS protection |
---|---|---|
Protected endpoint type |
|
|
Standard DDoS attack filtering | ||
Forwarding rule enforcement | ||
Always-on attack monitoring and alerting | ||
Targeted attack mitigations | ||
Mitigation telemetry |
How network DDoS protection works
Standard network DDoS protection is always enabled. You do not need to take any action to enable it.
You configure advanced network DDoS protection on a per-region basis. When you enable it for a particular region, Google Cloud Armor provides always-on targeted volumetric attack detection and mitigation for network load balancers, protocol forwarding, and VMs with public IP addresses in that region. You can only apply advanced network DDoS protection to projects that are enrolled in Managed Protection Plus.
When you configure advanced network DDoS protection, you first create a security
policy of the type CLOUD_ARMOR_NETWORK
in a region that you choose. Next, you
update the security policy to enable advanced network DDoS protection. Finally,
you create a network edge security service, a resource to which you can attach
security policies of type CLOUD_ARMOR_NETWORK
. Attaching the security policy
to the network edge security service enables advanced network DDoS protection for all
applicable endpoints in the region that you chose.
Activate advanced network DDoS protection
Use the following steps to activate advanced network DDoS protection.
Enroll in Managed Protection Plus
Your project must be enrolled in Managed Protection Plus to enable advanced network DDoS protection on a per-region basis. After they are activated, all regional endpoints in the activated region receive always-on advanced network DDoS protection.
Ensure that there is an active Managed Protection Plus subscription in your billing account, and that the current project is enrolled in Managed Protection Plus. For more information about enrolling in Managed Protection, see Subscribing to Managed Protection Plus and enrolling projects.
Configure advanced network DDoS protection
Use the following steps to enable advanced network DDoS protection. Replace variables with information that is relevant to your deployment.
Create a security policy of type
CLOUD_ARMOR_NETWORK
, or use an existing security policy with typeCLOUD_ARMOR_NETWORK
. Replace SECURITY_POLICY_NAME with the name that you want your security policy to have, and replace REGION with the region in which you want your security policy to be provisioned.gcloud compute security-policies create SECURITY_POLICY_NAME \ --type CLOUD_ARMOR_NETWORK \ --region REGION
Update the newly-created or existing security policy by setting the
--network-ddos-protection
flag toADVANCED
.gcloud compute security-policies update SECURITY_POLICY_NAME \ --network-ddos-protection ADVANCED \ --region REGION
Alternatively, you can set the
--network-ddos-protection
flag toADVANCED_PREVIEW
to enable the security policy in preview mode.gcloud beta compute security-policies update SECURITY_POLICY_NAME \ --network-ddos-protection ADVANCED_PREVIEW \ --region REGION
Create a network edge security service that references your security policy.
gcloud compute network-edge-security-services create SERVICE_NAME \ --security-policy SECURITY_POLICY_NAME \ --region REGION
Disable advanced network DDoS protection
To disable advanced network DDoS protection, you can either update or delete the security policy.
Update the security policy
Use the following command to update your security policy to set the
--network-ddos-protection
flag to STANDARD
. Replace variables
with information that is relevant to your deployment.
gcloud compute security-policies update SECURITY_POLICY_NAME \ --network-ddos-protection STANDARD \ --region REGION
Delete the security policy
Before you can delete a network edge security policy, you must first remove it from the network edge security service because you cannot delete in-use security policies. Use the following steps to delete your security policy:
- Remove your policy from the network edge security service or delete the network edge security service.
Delete the security policy by using the following command:
gcloud compute security-policies delete NAME
Use preview mode
Preview mode lets you monitor the effects of advanced network DDoS protection without enforcing the mitigation.
Managed Protection Plus subscribers can also enable preview mode for advanced network DDoS protection policies. In preview mode, you receive all of the logging and telemetry about the detected attack and the proposed mitigation. However, the proposed mitigation is not enforced. This lets you test the effectiveness of the mitigation before enabling it. Because each policy is configured per region, you can enable or disable preview mode per region.
To enable preview mode, you set the --ddos-protection
flag to ADVANCED_PREVIEW
.
You can use the following example to update an existing policy. Replace
POLICY_NAME with the name of your policy and REGION with
the region in which your policy is located.
gcloud beta compute security-policies update POLICY_NAME \ --network-ddos-protection ADVANCED_PREVIEW \ --region=REGION
If your security policy is in preview mode during an active attack and you want
to enforce the mitigations, you can update your security policy to set the
--network-ddos-protection
flag to ADVANCED
. The policy is enforced
almost immediately, and the next MITIGATION_ONGOING
logging event reflects the
change. MITIGATION_ONGOING
logging events occur every five minutes.
Network DDoS mitigation telemetry
The following sections explain how to use telemetry to analyze attacks and their sources.
Cloud Logging attack mitigation event logs
Google Cloud Armor generates three types of event logs when mitigating DDoS attacks. The following sections provide examples of the log format for each type of event log:
Mitigation started
@type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_STARTED" target_vip: "XXX.XXX.XXX.XXX" total_volume: { pps: 1400000 } started: { total_attack_volume: { pps: 1100000 } classified_attack: { attack_type: "NTP-udp" attack_volume: { pps: 500000 } } classified_attack: { attack_type: "CHARGEN-udp" attack_volume: { pps: 600000 } } }
Mitigation ongoing
@type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_ONGOING" target_vip: "XXX.XXX.XXX.XXX" total_volume: { pps: 1500000 } ongoing: { total_attack_volume: { pps: 1100000 } classified_attack: { attack_type: "NTP-udp" attack_volume: { pps: 500000 } } classified_attack: { attack_type: "CHARGEN-udp" attack_volume: { pps: 600000 } } }
Mitigation completed
@type: "type.googleapis.com/google.cloud.networksecurity.cloudarmor.logging.v1.CloudArmorMitigationAlert" alertId: "11275630857957031521" mitigation_type: "MITIGATION_ENDED" target_vip: "XXX.XXX.XXX.XXX" ended: { attack_duration_seconds: 600 }
In preview mode, each of the preceding mitigation_type
s are preceded
by PREVIEWED_
. For example, in preview mode, MITIGATION_STARTED
is instead
PREVIEWED_MITIGATION_STARTED
.
To view these logs, go to the Logs Explorer and view the
network_security_policy
resource.
For more information about viewing logs, see Viewing logs.