Use Google Cloud Armor Enterprise

This guide provides instructions for using Google Cloud Armor Enterprise. To learn more about the product, see the Cloud Armor Enterprise overview.

Required IAM permissions

To subscribe a billing account to Cloud Armor Enterprise or to toggle the auto-renew setting of the subscription, you must be a user with the Identity and Access Management (IAM) permission billing.accounts.update for the billing account that is being subscribed.

To enroll a project into the Cloud Armor Enterprise subscription, you must have the following IAM permissions for the currently selected project that you are enrolling in Cloud Armor Enterprise:

  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.update
  • compute.projects.setCloudArmorTier

To learn more about billing permissions, see Overview of Cloud Billing access control.

Subscribe to Cloud Armor Enterprise and enroll projects

To subscribe to Cloud Armor Enterprise and enroll the current project, follow these steps. The enrollment paths for Cloud Armor Enterprise Annual and Cloud Armor Enterprise Paygo are not the same, and some paths are exclusive to the Google Cloud console or to the Google Cloud CLI.

Console

Subscribe to Cloud Armor Enterprise Annual

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page. If your subscription is active, then the billing account is already subscribed.

    Go to Cloud Armor Service Tier

  2. Click Subscribe and enroll in the Cloud Armor Enterprise Annual pane. You see a confirmation dialog.

Enroll in Cloud Armor Enterprise Paygo

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. Click Enroll in the Cloud Armor Enterprise Paygo pane.

gcloud

Subscribe to Cloud Armor Enterprise Annual

Enroll in Cloud Armor Enterprise Paygo

To enroll the current project in Cloud Armor Enterprise Paygo, use the following gcloud command:

gcloud compute project-info update --cloud-armor-tier CA_ENTERPRISE_PAYGO

We strongly recommend that you enroll your projects in Cloud Armor Enterprise as soon as possible because activation can take up to 24 hours. During this period, you can continue to enroll projects.

To enroll additional projects, follow these steps.

Console

Enroll additional projects in Cloud Armor Enterprise Annual

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. In the Cloud Armor Enterprise Annual pane, click Enroll.

Enroll additional projects in Cloud Armor Enterprise Paygo

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. In the Cloud Armor Enterprise Paygo pane, click Enroll.

gcloud

Enroll additional projects in Cloud Armor Enterprise Annual

Enroll additional projects in Cloud Armor Enterprise Paygo

Use the following command to enroll a project in Cloud Armor Enterprise Paygo:

gcloud compute project-info update --cloud-armor-tier CA_ENTERPRISE_PAYGO

Remove a project from Cloud Armor Enterprise

Before you remove your project from Cloud Armor Enterprise, we recommend that you familiarize yourself with Downgrading from Cloud Armor Enterprise. After you unenroll a project from Cloud Armor Enterprise, up to twelve hours might elapse before the change takes effect. You can continue to unenroll (or enroll) other projects during this period.

To unenroll a project from Cloud Armor Enterprise, follow these steps.

Console

Unenroll a project from Cloud Armor Enterprise Annual

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. In the Standard pane, click Enroll.

Unenroll a project from Cloud Armor Enterprise Paygo

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. In the Standard pane, click Enroll.

gcloud

Unenroll a project from Cloud Armor Enterprise Annual

You cannot unenroll a project from Cloud Armor Enterprise Annual using the Google Cloud CLI. You must use the Google Cloud console instead.

Unenroll a project from Cloud Armor Enterprise Paygo

gcloud compute project-info update --cloud-armor-tier CA_STANDARD

View or change your enrollment tier

Use the following sections to view your current Cloud Armor Enterprise enrollment tier, to change your enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo, or to change your enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual.

View current Cloud Armor Enterprise enrollment tier

Use these instructions to view your current Cloud Armor Enterprise enrollment tier.

Console

  1. In the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. You see the available Cloud Armor Enterprise service tiers, including Cloud Armor Enterprise Paygo and Cloud Armor Enterprise Paygo. Your current Cloud Armor Enterprise enrollment tier is highlighted, and has the status "Enrolled" in the Project field.

gcloud

To view your current Cloud Armor Enterprise enrollment tier use the following gcloud command:

gcloud compute project-info describe

View the number of backend services and backend buckets covered by an enrollment

Each project that is enrolled in Cloud Armor Enterprise shows the number of backend services and backend buckets covered on the Cloud Armor Enterprise page. The number that you see is the total number of backend services and backend buckets covered by the enrollment.

If the project is enrolled in Cloud Armor Enterprise Standard, which is the default tier, this count is not displayed.

Change enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo

Follow these steps to change your enrollment from Cloud Armor Enterprise Annual to Cloud Armor Enterprise Paygo:

  1. Unenroll your project from Cloud Armor Enterprise Annual.
  2. Enroll in Cloud Armor Enterprise Paygo.

Change enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual

Follow these steps to change your enrollment from Cloud Armor Enterprise Paygo to Cloud Armor Enterprise Annual:

  1. Unenroll your project from Cloud Armor Enterprise Paygo.
  2. Enroll in Cloud Armor Enterprise Annual.

Unsubscribe a billing account from Cloud Armor Enterprise Annual

A Cloud Armor Enterprise Annual subscription is a one-year commitment that is renewed automatically. To prevent renewal at the end of the one-year term, you must disable automatic renewal. After automatic renewal is disabled, when you reach the end of the current one-year subscription period, your Cloud Armor Enterprise Annual subscription is not renewed, and all projects in the billing account that are enrolled to Cloud Armor Enterprise Annual revert to Cloud Armor Enterprise Standard.

To cancel Cloud Armor Enterprise Annual auto-renewal, follow these steps.

Console

  1. When you are signed in to the subscribed billing account, in the Google Cloud console, go to the Cloud Armor Service Tier page.

    Go to Cloud Armor Service Tier

  2. Click Auto-Renew (off). Your Cloud Armor Enterprise subscription is not renewed when your current subscription expires. At that time, projects enrolled in Cloud Armor Enterprise are no longer enrolled. They still receive the DDoS protection provided in Cloud Armor Enterprise Standard.

You can resubscribe a billing account to Cloud Armor Enterprise Annual at any time. If you do so, you must also re-enroll projects for which you want to benefit from the Cloud Armor Enterprise pricing models and additional capabilities.

Open a DDoS response support case

To engage DDoS response support, you open a support case through the Google Cloud console. For customers that meet the eligibility requirements, your case is escalated to the Google Cloud Armor DDoS Response Team for support, triage, and potential mitigation.

To open a DDoS response support case, see Get support for a DDoS case.

Engage DDoS bill protection

To file a claim for DDoS Bill Protection, your project must be enrolled in Cloud Armor Enterprise Annual, and you must prepare the following information:

  • The billing account associated with the targeted project.
  • The project number of the project containing the targeted resource.
  • The internet-facing IP address of the targeted resource.
  • The time that the attack started.
  • The time that the attack concluded.
  • Normal traffic volumes for the impacted service.
  • Attack volumes for the impacted service.

You can initiate a chat or contact billing support through the Google Cloud console. For more information on contacting Cloud Billing Support, see How to contact Cloud Billing Support.

Cross-project referencing requirements

If you use cross-project service referencing and you want to take advantage of the Cloud Armor Enterprise pricing, both the frontend and backend service projects must be enrolled in Cloud Armor Enterprise Annual.

Qualified Attacks

For external passthrough Network Load Balancers, protocol forwarding, and public IP addresses (VMs), an attack is considered a Qualified Attack (as described in the Google Cloud Armor terms and limitations) only if advanced DDoS protection was already enabled for the region with the attacked endpoint at the start of the attack.

Use Threat Intelligence

To use Threat Intelligence, you configure a security policy using the evaluateThreatIntelligence match expression, providing a feed name based on the category that you want to allow or block. If Threat Intelligence incorrectly blocks an IP address, you can add the IP address to the exclusion list to allow traffic.

Troubleshooting Cloud Armor Enterprise

This section provides information to help you resolve any issues with Cloud Armor Enterprise.

You subscribed to Cloud Armor Enterprise Annual, but your bill continues to be pay-as-you-go

If you subscribed to Cloud Armor Enterprise and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Cloud Armor Enterprise.

The Subscribe button is unavailable

If you are unable to subscribe to Cloud Armor Enterprise Annual because the Subscribe button is unavailable, do the following:

  • Ensure that the user who is trying to subscribe has sufficient IAM permissions:
    • The user must have billing.accounts.update permissions for subscribing at the billing account level.
    • The user must have resourcemanager.projects.createBillingAssignment and resourcemanager.projects.update for enrolling individual projects into or out of the tier.

Billing discrepancies

If these troubleshooting tips don't resolve the problems that you are experiencing, contact the Google Cloud billing support team.

What's next