This guide provides instructions for using Google Cloud Armor Enterprise. To learn more about the product, see the Cloud Armor Enterprise overview.
Required IAM permissions
To subscribe a billing account to Cloud Armor Enterprise or to toggle the
auto-renew setting of the subscription, you must be a user with the
Identity and Access Management (IAM) permission billing.accounts.update
for the billing
account that is being subscribed.
To enroll a project into the Cloud Armor Enterprise subscription, you must have the following IAM permissions for the currently selected project that you are enrolling in Cloud Armor Enterprise:
resourcemanager.projects.createBillingAssignment
resourcemanager.projects.update
compute.projects.setManagedProtectionTier
To learn more about billing permissions, see Overview of Cloud Billing access control.
Subscribe to Cloud Armor Enterprise and enroll projects
To subscribe to Cloud Armor Enterprise and enroll the current project, follow these steps. The enrollment paths for Cloud Armor Enterprise Annual and Cloud Armor Enterprise Paygo are not the same, and some paths are exclusive to the Google Cloud console or to the Google Cloud CLI.
Console
Subscribe to Cloud Armor Enterprise Annual
In the Google Cloud console, go to the Cloud Armor Service Tier page. If your subscription is active, then the billing account is already subscribed.
Click Subscribe and enroll in the Cloud Armor Enterprise Annual pane. You see a confirmation dialog.
Enroll in Cloud Armor Enterprise Paygo
In the Google Cloud console, go to the Cloud Armor Service Tier page.
Click Enroll in the Cloud Armor Enterprise Paygo pane.
gcloud
Subscribe to Cloud Armor Enterprise Annual
Enroll in Cloud Armor Enterprise Paygo
To enroll the current project in Cloud Armor Enterprise Paygo, use the following gcloud
command:
gcloud compute project-info update --cloud-armor-tier CA_ENTERPRISE_PAYGO
We strongly recommend that you enroll your projects in Cloud Armor Enterprise as soon as possible because activation can take up to 24 hours. During this period, you can continue to enroll projects.
To enroll additional projects, follow these steps.
Console
Enroll additional projects in Cloud Armor Enterprise Annual
In the Google Cloud console, go to the Cloud Armor Service Tier page.
In the Cloud Armor Enterprise Annual pane, click Enroll.
Enroll additional projects in Cloud Armor Enterprise Paygo
In the Google Cloud console, go to the Cloud Armor Service Tier page.
In the Cloud Armor Enterprise Paygo pane, click Enroll.
gcloud
Enroll additional projects in Cloud Armor Enterprise Annual
Enroll additional projects in Cloud Armor Enterprise Paygo
Use the following command to enroll a project in Cloud Armor Enterprise Paygo:
gcloud compute project-info update --cloud-armor-tier CA_ENTERPRISE_PAYGO
Remove a project from Cloud Armor Enterprise
Before you remove your project from Cloud Armor Enterprise, we recommend that you familiarize yourself with Downgrading from Cloud Armor Enterprise. After you unenroll a project from Cloud Armor Enterprise, up to twelve hours might elapse before the change takes effect. You can continue to unenroll (or enroll) other projects during this period.
To unenroll a project from Cloud Armor Enterprise, follow these steps.
Console
Unenroll a project from Cloud Armor Enterprise Annual
In the Google Cloud console, go to the Cloud Armor Service Tier page.
In the Standard pane, click Enroll.
Unenroll a project from Cloud Armor Enterprise Paygo
In the Google Cloud console, go to the Cloud Armor Service Tier page.
In the Standard pane, click Enroll.
gcloud
Unenroll a project from Cloud Armor Enterprise Annual
You cannot unenroll a project from Cloud Armor Enterprise Annual using the Google Cloud CLI. You must use the Google Cloud console instead.
Unenroll a project from Cloud Armor Enterprise Paygo
gcloud compute project-info update --cloud-armor-tier CA_STANDARD
View or change your enrollment tier
Use the following sections to view your current Cloud Armor Enterprise enrollment tier, to change your enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo, or to change your enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual.
View current Cloud Armor Enterprise enrollment tier
Use these instructions to view your current Cloud Armor Enterprise enrollment tier.
Console
In the Google Cloud console, go to the Cloud Armor Service Tier page.
You see the available Cloud Armor Enterprise service tiers, including Cloud Armor Enterprise Paygo and Cloud Armor Enterprise Paygo. Your current Cloud Armor Enterprise enrollment tier is highlighted, and has the status "Enrolled" in the Project field.
gcloud
To view your current Cloud Armor Enterprise enrollment tier use the
following gcloud
command:
gcloud compute project-info describe
View the number of backend services and backend buckets covered by an enrollment
Each project that is enrolled in Cloud Armor Enterprise shows the number of backend services and backend buckets covered on the Cloud Armor Enterprise page. The number that you see is the total number of backend services and backend buckets covered by the enrollment.
If the project is enrolled in Cloud Armor Enterprise Standard, which is the default tier, this count is not displayed.
Change enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo
Follow these steps to change your enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo:
Change enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual
Follow these steps to change your enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual:
Unsubscribe a billing account from Cloud Armor Enterprise Annual
A Cloud Armor Enterprise Annual subscription is a one-year commitment that is renewed automatically. To prevent renewal at the end of the one-year term, you must disable automatic renewal. After automatic renewal is disabled, when you reach the end of the current one-year subscription period, your Cloud Armor Enterprise Annual subscription is not renewed, and all projects in the billing account that are enrolled to Cloud Armor Enterprise Annual revert to Cloud Armor Enterprise Standard.
To cancel Cloud Armor Enterprise Annual auto-renewal, follow these steps.
Console
When you are signed in to the subscribed billing account, in the Google Cloud console, go to the Cloud Armor Service Tier page.
Click Auto-Renew (off). Your Cloud Armor Enterprise subscription is not renewed when your current subscription expires. At that time, projects enrolled in Cloud Armor Enterprise are no longer enrolled. They still receive the DDoS protection provided in Cloud Armor Enterprise Standard.
You can resubscribe a billing account to Cloud Armor Enterprise Annual at any time. If you do so, you must also re-enroll projects for which you want to benefit from the Cloud Armor Enterprise pricing models and additional capabilities.
Open a DDoS response support case
To engage DDoS response support, you open a support case through the Google Cloud console. For customers that meet the eligibility requirements, your case is escalated to the Google Cloud Armor DDoS Response Team for support, triage, and potential mitigation.
To open a DDoS response support case, see Get support for a DDoS case.
Engage DDoS bill protection
To file a claim for DDoS Bill Protection, your project must be enrolled in Cloud Armor Enterprise Annual, and you must prepare the following information:
- The billing account associated with the targeted project.
- The project number of the project containing the targeted resource.
- The internet-facing IP address of the targeted resource.
- The time that the attack started.
- The time that the attack concluded.
- Normal traffic volumes for the impacted service.
- Attack volumes for the impacted service.
You can initiate a chat or contact billing support through the Google Cloud console. For more information on contacting Cloud Billing Support, see How to contact Cloud Billing Support.
Cross-project referencing requirements
If you use cross-project service referencing and you want to take advantage of the Cloud Armor Enterprise pricing, both the frontend and backend service projects must be enrolled in Cloud Armor Enterprise Annual.
Qualified Attacks
For external passthrough Network Load Balancers, protocol forwarding, and public IP addresses (VMs), an attack is considered a Qualified Attack (as described in the Google Cloud Armor terms and limitations) only if advanced DDoS protection was already enabled for the region with the attacked endpoint at the start of the attack.
Use Threat Intelligence
To use
Threat Intelligence, you
configure a security policy using the evaluateThreatIntelligence
match
expression, providing a feed name based on the category that you want to
allow or block. If Threat Intelligence incorrectly blocks an IP address, you can
add the IP address to the exclusion list to allow traffic.
Troubleshooting Cloud Armor Enterprise
This section provides information to help you resolve any issues with Cloud Armor Enterprise.
You subscribed to Cloud Armor Enterprise Annual, but your bill continues to be pay-as-you-go
If you subscribed to Cloud Armor Enterprise and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Cloud Armor Enterprise.
The Subscribe
button is unavailable
If you are unable to subscribe to Cloud Armor Enterprise Annual because the
Subscribe
button is unavailable, do the following:
- Ensure that the user who is trying to subscribe has sufficient
IAM permissions:
- The user must have
billing.accounts.update
permissions for subscribing at the billing account level. - The user must have
resourcemanager.projects.createBillingAssignment
andresourcemanager.projects.update
for enrolling individual projects into or out of the tier.
- The user must have
Billing discrepancies
If these troubleshooting tips don't resolve the problems that you are experiencing, contact the Google Cloud billing support team.