Google Cloud Armor Managed Protection is the managed application protection service that helps protect your web applications and services from distributed denial-of-service (DDoS) attacks and other threats from the internet. Managed Protection helps protect applications deployed on Google Cloud, on-premises, or on other infrastructure providers.
Google Cloud Armor Standard versus Managed Protection Plus
Google Cloud Armor is offered in two service tiers, Standard and Managed Protection Plus:
Google Cloud Armor Standard includes the following:
- A pay-as-you go pricing model
- Always-on protection from volumetric and protocol-based DDoS attacks across your globally and regionally load-balanced infrastructure
- Access to Google Cloud Armor web application firewall (WAF) rule capabilities, including preconfigured WAF rules for OWASP Top 10 protection
Managed Protection Plus includes a monthly subscription that includes the following:
- All the features of Google Cloud Armor Standard
- Bundled Google Cloud Armor WAF usage, including rules, policy, and requests
- Third-party named IP address lists
- Threat Intelligence for Google Cloud Armor
- Adaptive Protection for Layer 7 endpoints
- Advanced network DDoS protection for pass-through endpoints—external passthrough Network Load Balancers, protocol forwarding, and public IP addresses for virtual machine (VM) instances
- Access to DDoS bill protection and DDoS response team services
- Access to DDoS attack visibility
All projects that include an external Application Load Balancer or an external proxy Network Load Balancer are automatically enrolled in Google Cloud Armor Standard. After subscribing to Managed Protection Plus at the billing account level, users can choose to enroll individual projects attached to the billing account in Managed Protection Plus.
The following table summarizes the two service tiers.
| Google Cloud Armor Standard | Managed Protection Plus | |
|---|---|---|
| Billing method | Pay-as-you-go | Monthly subscription + data processing fee (see Pricing) |
| DDoS attack protection |
|
|
| Advanced network DDoS protection | No | Yes |
| Google Cloud Armor WAF | Per policy, per rule, per request (see Pricing) | Included with Plus subscription |
| Resource limits | Up to quota limit | Up to quota limit |
| Preconfigured WAF rules | Yes | Yes |
| Time commitment | N/A | One year |
| Named IP address lists | No | Yes |
| Threat Intelligence | No | Yes |
| Adaptive Protection | Alerting only | Yes |
| DDoS response support | N/A | Yes (w/ Premium Support) |
| DDoS bill protection | N/A | Yes |
| DDoS attack visibility | N/A | Yes |
Subscribing to Managed Protection Plus
To use the additional services and capabilities in Managed Protection Plus, you must first subscribe to Managed Protection Plus. After your Managed Protection Plus subscription is activated for the billing account, you must then enroll individual projects in Managed Protection Plus.
We strongly recommend that you enroll your projects in Managed Protection Plus as soon as possible because activation can take up to 24 hours.
External Application Load Balancer and external proxy Network Load Balancer
After a project is enrolled in Managed Protection Plus, the forwarding rules within the project are added to the subscription. In addition, all backend services and backend buckets are counted as protected resources and are metered for the Managed Protection Plus monthly subscription cost. The backend services and backend buckets in Managed Protection Plus are aggregated across all enrolled projects in a billing account.
External passthrough Network Load Balancer, protocol forwarding, and public IP addresses (VMs)
Google Cloud Armor offers the following options to protect these endpoints against DDoS attacks:
- Standard network DDoS protection: basic always-on protection for external passthrough Network Load Balancers, protocol forwarding, or VMs with public IP addresses. This includes forwarding rule enforcement and automatic rate limiting. This is covered under Google Cloud Armor Standard and does not require any additional subscriptions.
- Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers. Advanced network DDoS protection is configured on a per-region basis. When enabled for a particular region, Google Cloud Armor provides always-on volumetric attack detection and targeted mitigation for external passthrough Network Load Balancers, protocol forwarding, and VMs with public IP addresses in that region.
DDoS response support
Google Cloud Armor Managed Protection distributed denial-of-service (DDoS) response support lets you receive 24/7 help and potential custom mitigations from DDoS attacks from the same team that protects all Google services. You can engage DDoS support during an attack to help mitigate the attack, or you can reach out proactively to plan for an upcoming high volume or potentially viral event (one which might attract an unusually high amount of visitors).
To engage DDoS response support, see Engaging DDoS response support.
DDoS bill protection
Google Cloud Armor DDoS bill protection provides credits for future Google Cloud usage for some increases in the bills from Cloud Load Balancing, Google Cloud Armor, and network internet, inter-region, and inter-zone egress as a result of a verified DDoS attack. If a claim is recognized and a credit is provided, the credit cannot be used to offset existing usage; the credit can only apply to future usage. The following table demonstrates what resources are covered by DDos bill protection:
| Endpoint Type | Covered Usage Increase | |
|---|---|---|
|
Google Cloud Armor | Managed Protection data processing fee |
| Network | Network egress | |
| Inter-region | ||
| Inter-zone | ||
| Carrier peering | ||
| Load balancer | Ingress data processing fee | |
| Outbound data processing fee | ||
|
Google Cloud Armor | Managed Protection data processing fee |
| Network | Network egress | |
| Inter-region | ||
| Inter-zone | ||
| Carrier peering | ||
| Load balancer | Ingress data processing fee | |
| Outbound data processing fee |
To engage DDoS bill protection, see Engaging DDoS bill protection.
Terms and limitations
To learn more about the terms and limitations of Managed Protection Plus, see the Service Specific Terms page and follow these steps:
- Click Service Terms.
- Scroll to Google Cloud Armor ‑ Managed Protection Plus.
What's next
- Subscribe and enroll projects in Managed Protection Plus
- Troubleshoot issues
- Use the custom rules language reference