Cloud Armor Enterprise overview

Google Cloud Armor Enterprise is the application protection service that helps protect your web applications and services from distributed denial-of-service (DDoS) attacks and other threats from the internet. Cloud Armor Enterprise helps protect applications deployed on Google Cloud, on-premises, or on other infrastructure providers.

Google Cloud Armor Standard versus Cloud Armor Enterprise

Google Cloud Armor is offered in two service tiers, Standard and Cloud Armor Enterprise.

Google Cloud Armor Standard includes the following:

  • A pay-as-you go pricing model
  • Always-on protection from volumetric and protocol-based DDoS attacks, with automated inline mitigations in real time and with no latency impact across the following infrastructure types:
    • Global external Application Load Balancer (HTTP/HTTPS)
    • Classic Application Load Balancer (HTTP/HTTPS)
    • Regional external Application Load Balancer (HTTP/HTTPS)
    • Global external proxy Network Load Balancer (TCP/SSL)
    • Cloud CDN
    • Media CDN
  • Integration with Cloud CDN and Media CDN
  • Access to Google Cloud Armor web application firewall (WAF) rule capabilities, including preconfigured WAF rules for OWASP Top 10 protection

Cloud Armor Enterprise includes the following:

All Google Cloud projects that include an external Application Load Balancer or an external proxy Network Load Balancer are automatically enrolled in Google Cloud Armor Standard. After subscribing to Cloud Armor Enterprise at the billing account level, users can choose to enroll individual projects attached to the billing account in Cloud Armor Enterprise.

The following table summarizes the two service tiers.

Google Cloud Armor Standard Cloud Armor Enterprise
Paygo Annual
Billing method Pay-as-you-go Pay-as-you-go Subscription with 12-month commitment
Pricing Per policy, per rule, per request (see Pricing)
  • $200/month per project
  • $200/month per protected resource after first 2 resources
  • $3000/month per billing account
  • $30/month per protected resource after first 100 resources
DDoS attack protection
  • External Application Load Balancer
  • External proxy Network Load Balancer
  • External Application Load Balancer
  • External proxy Network Load Balancer
  • External passthrough Network Load Balancer
  • Protocol forwarding
  • Public IP addresses (VMs)
  • External Application Load Balancer
  • External proxy Network Load Balancer
  • External passthrough Network Load Balancer
  • Protocol forwarding
  • Public IP addresses (VMs)
Advanced network DDoS protection No Yes Yes
Network edge security policies No Yes Yes
Google Cloud Armor WAF Per policy, per rule, per request (see Pricing) Included with Paygo Included with Annual
Resource limits Up to quota limit Up to quota limit Up to quota limit
Time commitment N/A N/A One year
Address Group
Threat Intelligence
Adaptive Protection Alerting only
DDoS attack visibility N/A
DDoS response support N/A Eligibility requirements
DDoS bill protection N/A

Subscribe to Cloud Armor Enterprise

To use the additional services and capabilities in Cloud Armor Enterprise, you must first enroll in Cloud Armor Enterprise. You can subscribe to Cloud Armor Enterprise Annual and enroll individual projects, or you can enroll a project directly in Cloud Armor Enterprise Paygo.

We strongly recommend that you enroll your projects in Cloud Armor Enterprise as soon as possible because activation can take up to 24 hours.

External Application Load Balancer and external proxy Network Load Balancer

After a project is enrolled in Cloud Armor Enterprise, the forwarding rules within the project are added to the enrollment. In addition, all backend services and backend buckets are counted as protected resources and are metered for the Cloud Armor Enterprise protected resources cost. The backend services and backend buckets in Cloud Armor Enterprise Annual are aggregated across all enrolled projects in a billing account, whereas the backend services and backend buckets in Cloud Armor Enterprise Paygo are aggregated within the project.

External passthrough Network Load Balancer, protocol forwarding, and public IP addresses (VMs)

Google Cloud Armor offers the following options to protect these endpoints against DDoS attacks:

  • Standard network DDoS protection: basic always-on protection for external passthrough Network Load Balancers, protocol forwarding, or VMs with public IP addresses. This includes forwarding rule enforcement and automatic rate limiting. This is covered under Google Cloud Armor Standard and does not require any additional subscriptions.
  • Advanced network DDoS protection: additional protections for Cloud Armor Enterprise subscribers. Advanced network DDoS protection is configured on a per-region basis. When enabled for a particular region, Google Cloud Armor provides always-on volumetric attack detection and targeted mitigation for external passthrough Network Load Balancers, protocol forwarding, and VMs with public IP addresses in that region.

DDoS response support

DDoS Response support provides 24/7 help and potential custom mitigations from DDoS attacks from the same team that protects all Google services. You can engage response support during an attack to help mitigate the attack, or you can reach out proactively to plan for an upcoming high volume or potentially viral event (one which might attract an unusually high amount of visitors).

Proactive support is available for all Google Cloud Armor customers, even if they haven't completed a DDoS posture review. Proactive support lets us apply preconfigured rules that target common DDoS attack types before the attack reaches Google Cloud Armor. To engage DDoS response support, see Get support for a DDoS case.

DDoS posture review

The goal of the DDoS posture review is to improve the efficiency and efficacy of the DDoS response process. During the review process we learn about your unique use case and architecture, and verify that your Google Cloud Armor security policies are configured according to our best practices. This helps you increase your preemptive resilience to DDoS attacks.

The DDoS posture review is provided to customers who subscribe to Cloud Armor Enterprise Annual and have a Premium account for Cloud Customer Care.

Eligibility for DDoS response support

The following criteria qualify you to open a case and receive help from the Google Cloud Armor DDoS response support team:

  • Your billing account has an active Cloud Armor Enterprise Annual subscription.
  • Your billing account has a Premium account for Cloud Customer Care.
  • The Google Cloud project with the workload that is under attack is enrolled in Cloud Armor Enterprise Annual.
  • (For customers who subscribed to Cloud Armor Enterprise Annual after September 3, 2024): The project with the workload that is under attack must have undergone an annual DDoS posture review.

To engage DDoS response support, see Get support for a DDoS case.

DDoS bill protection

Google Cloud Armor DDoS bill protection requires your project to be enrolled in Cloud Armor Enterprise Annual. It provides credits for future Google Cloud usage for some increases in the bills from Cloud Load Balancing, Google Cloud Armor, and network internet, inter-region, and inter-zone outbound data transfer as a result of a verified DDoS attack. If a claim is recognized and a credit is provided, the credit cannot be used to offset existing usage; the credit can only apply to future usage. The following table demonstrates what resources are covered by DDos bill protection:

Endpoint Type Covered Usage Increase
  • External Application Load Balancer
  • External proxy Network Load Balancer
Google Cloud Armor Cloud Armor Enterprise data processing fee
Network Outbound data transfer
Inter-region
Inter-zone
Carrier peering
Load balancer Inbound data processing fee
Outbound data processing fee
Media CDNMedia CDN egress fee (external Application Load Balancer only)
  • External passthrough Network Load Balancer
  • Protocol forwarding
  • Public IP addresses (VMs)
Google Cloud Armor Cloud Armor Enterprise data processing fee
Network Outbound data transfer
Inter-region
Inter-zone
Carrier peering
Load balancer Inbound data processing fee
Outbound data processing fee

To engage DDoS bill protection, see Engaging DDoS bill protection.

Migrating projects between billing accounts

Beginning September 3, 2024, if you migrate your project from one billing account to another while subscribed to Cloud Armor Enterprise Annual, but your new billing account is not subscribed to Cloud Armor Enterprise Annual, your project reverts to Google Cloud Armor Standard after the migration completes. Therefore, if you want to keep your project in Cloud Armor Enterprise Annual without downtime, we recommend that you subscribe your new billing account to Cloud Armor Enterprise Annual before you begin the migration process. You can also migrate your subscription from one billing account to the other by reaching out to Cloud Billing support.

Projects enrolled in Cloud Armor Enterprise Paygo are not affected by billing account migration.

Downgrading from Cloud Armor Enterprise

When you remove a project from Cloud Armor Enterprise, any security policies that use rules with Cloud Armor Enterprise-exclusive features (advanced rules) become frozen. Frozen security policies have the following properties:

  • Google Cloud Armor continues to evaluate traffic against rules in the policy, including any advanced rules.
  • You cannot attach the security policy to new targets.
  • You can only perform the following operations on the security policy:
    • You can delete security policy rules.
    • If you don't change the rule priority, you can update advanced rules so that they no longer use Cloud Armor Enterprise-exclusive features. If you modify all advanced rules in this way, your policy is no longer frozen. For more information about updating security policy rules, see Update a single rule in a security policy.

You can also re-enroll in Cloud Armor Enterprise Annual or Cloud Armor Enterprise Paygo to restore access to your frozen security policies.

Advanced network DDoS protection

Advanced network DDoS protection is only availalable to projects enrolled in Cloud Armor Enterprise. When you remove a project with an active advanced network DDoS policy from Cloud Armor Enterprise, you are still billed for the feature based on Cloud Armor Enterprise pricing.

We recommend that you delete any advanced network DDoS protection rules before you unenroll your project from Cloud Armor Enterprise, but you can also delete advanced network DDoS protection rules after downgrading.

Terms and limitations

Cloud Armor Enterprise has the following terms and limitations:

  • Generally: If a Project enrolled in Cloud Armor Enterprise experiences a third-party denial of service attack on a protected endpoint ("Qualified Attack") and the conditions described in the next section are met, Google provides a credit equivalent to the Covered Fees, provided that the Covered Fees incurred exceed the Minimum Threshold. Load tests and security assessments performed by or on behalf of Customer are not Qualified Attacks.
  • Conditions: Customer must submit a request to Cloud Billing Support within 30 days after the end of the Qualified Attack. The request must include evidence of the Qualified Attack, such as logs or other telemetry indicating the timing of the attack and the Projects and resources that were attacked, and an estimate of the Covered Fees incurred. Google will reasonably determine whether credits are due and the appropriate amount. Other conditions for particular Google Cloud Armor features are included in the Documentation.
  • Credits: Any credits provided to Customer in connection with this Section have no cash value and can only be applied to offset future Fees for the Services. These credits expire 12 months after being issued or upon termination or expiration of the Agreement.
  • Definitions:
    • Covered Fees: Any Fees incurred by Customer as a direct result of the Qualified Attack for the following:
      • Ingress and outbound data processing for the Google Cloud Load Balancer Service.
      • Google Cloud Armor Enterprise data processing for the Google Cloud Armor Service.
      • Network egress, including inter-region, inter-zone, internet, and Carrier Peering egress.
    • Minimum Threshold: The minimum amount of Covered Fees that are eligible to be credited under this Section as determined by Google from time to time and disclosed to Customer on request.

What's next