Configure advanced network DDoS protection

Stay organized with collections Save and categorize content based on your preferences.

A distributed denial-of-service (DDoS) attack is a deliberate attempt by a hostile actor to disrupt operations of publicly exposed sites, systems, and APIs, with the goal of degrading the experience of legitimate users. For workloads using External TCP/UDP network load balancer (network load balancing), protocol forwarding, or VMs with public IP addresses, Google Cloud Armor offers the following options to help protect systems against DDoS attacks:

  • Standard network DDoS protection: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
  • Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers that use network load balancers, protocol forwarding, or VMs with public IP addresses. For more information about Managed Protection, see the Managed Protection overview.

This document explains the difference between standard and advanced network DDoS protection, how advanced network DDoS protection works, and how to enable advanced network DDoS protection.

How it works

Standard network DDoS protection is always-on, and you do not need to do anything to enable it.

Advanced network DDoS protection is configured on a per-region basis. When enabled for a particular region, Google Cloud Armor provides always-on targeted volumetric attack detection and mitigation for network load balancers, protocol forwarding, and VMs with public IP addresses in that region. Only projects that are enrolled in Managed Protection Plus are eligible to sign up for advanced network DDoS protection.

When you configure advanced network DDoS protection, you first create a security policy of the type CLOUD_ARMOR_NETWORK in a region that you choose. Next, you update the security policy to enable advanced network DDoS protection. Finally, you create a network edge security service, which is a resource that you use only for attaching security policies of type CLOUD_ARMOR_NETWORK. Attaching the security policy to the network security service enables advanced network DDoS protection for all applicable endpoints in the region that you chose.

Compare standard network DDoS protection and advanced protection

Use the following table to compare standard and advanced network DDoS protection features.

Feature Standard network DDoS protection Advanced network DDoS protection
Protected endpoint type
  • Network load balancers
  • Protocol forwarding
  • VMs with public IP addresses
  • Network load balancers
  • Protocol forwarding
  • VMs with public IP addresses
Standard DDoS attack filtering
Forwarding rule enforcement
Always-on attack monitoring and alerting
Customized attack mitigations
Mitigation telemetry

Activating advanced network DDoS protection

Use the following steps to activate advanced network DDoS protection.

Enrolling in Managed Protection Plus

Your project must be enrolled in Managed Protection Plus to enable advanced network DDoS protection on a per-region basis. Once activated, all regional endpoints in the activated region receive always-on advanced network DDoS protection. For the duration for the preview, they are not metered as protected resources for Managed Protection Plus, meaning that you are only billed for the data processing fee.

Ensure that there is an active Managed Protection Plus subscription on your billing account, and that the current project is enrolled in Managed Protection Plus. For more information about enrolling in Managed Protection, see Subscribing to Managed Protection Plus and enrolling projects.

Configure advanced network DDoS protection

Use the following steps to enable advanced network DDoS protection. Replace variables with information that is relevant to your deployment.

  1. Create a security policy of type CLOUD_ARMOR_NETWORK, or use an existing security policy with type CLOUD_ARMOR_NETWORK. Replace SECURITY_POLICY_NAME with the name that you want your security policy to have, and replace REGION with the region in which you want your security policy to be provisioned.

    gcloud beta compute security-policies create SECURITY_POLICY_NAME --type CLOUD_ARMOR_NETWORK --region REGION
    
  2. Update the newly-created or existing security policy by setting the --network-ddos-protection flag to ADVANCED.

    gcloud beta compute security-policies update SECURITY_POLICY_NAME --network-ddos-protection ADVANCED --region  REGION
    
  3. Create a network edge security service that references your security policy.

    gcloud beta compute network-edge-security-services create SERVICE_NAME --security-policy SECURITY_POLICY_NAME --region REGION
    

Disabling advanced network DDoS protection

To disable advanced network DDoS protection, you can either update the security policy by setting the --network-ddos-protection flag to STANDARD, or delete the security policy.

Updating the security policy

Use the following command to update your security policy to set the --network-ddos-protection flag to STANDARD. Replace variables with information that is relevant to your deployment.

  gcloud beta compute security-policies update SECURITY_POLICY_NAME --network-ddos-protection STANDARD --region  REGION
  

Deleting the security policy

Use the following steps to delete your security policy.

  1. Remove your policy from the network edge security service or delete the network edge security service, because you cannot delete in-use security policies.
  2. Delete the security policy.

Network DDoS mitigation telemetry

The following sections explain how to use telemetry to analyze attacks and their sources.

Cloud Logging attack mitigation event logs

Google Cloud Armor generates three types of event logs when mitigating DDoS attacks:

  1. Mitigation started
  2. Mitigation ongoing
  3. Mitigation completed

To view these logs, go to the Logs Explorer and view the network_security_policy resource.

Go to Logs Explorer

For more information about viewing logs, see Viewing logs.

Security Command Center alerts and findings

Google Cloud Armor generates the following findings in the Security Command Center when mitigating an attack:

  • Finding states
    • Mitigation started
    • Mitigation ongoing
    • Mitigation complete
  • Finding details
    • Target endpoint
    • Summary of attack metrics and classification
    • A link to the relevant Logging entry

For more information about the Security Command Center, see the Security Command Center overview.