Google Cloud Armor Managed Protection overview

Google Cloud Armor Managed Protection is the managed application protection service that helps protect your web applications and services from distributed denial-of-service (DDoS) attacks and other threats from the internet. Managed Protection helps protect applications deployed on Google Cloud, on-premises, or on other infrastructure providers.

Google Cloud Armor Standard versus Managed Protection Plus

Google Cloud Armor is offered in two service tiers, Standard and Managed Protection Plus:

  • Google Cloud Armor Standard includes the following:

    • A pay-as-you go pricing model
    • Always-on protection from volumetric and protocol-based DDoS attacks across your globally and regionally load-balanced infrastructure
    • Access to Google Cloud Armor web application firewall (WAF) rule capabilities, including preconfigured WAF rules for OWASP Top 10 protection
  • Managed Protection Plus includes the following:

All projects that include an external Application Load Balancer or an external proxy Network Load Balancer are automatically enrolled in Google Cloud Armor Standard. After subscribing to Managed Protection Plus at the billing account level, users can choose to enroll individual projects attached to the billing account in Managed Protection Plus.

The following table summarizes the two service tiers.

Google Cloud Armor Standard Managed Protection Plus
Paygo Annual
Billing method Pay-as-you-go Pay-as-you-go Subscription with 12-month commitment
Pricing Per policy, per rule, per request (see Pricing)
  • $200/month per project
  • $200/month per protected resource after first 2 resources
  • $3000/month per billing account
  • $30/month per protected resource after first 100 resources
DDoS attack protection
  • External Application Load Balancer
  • External proxy Network Load Balancer
  • External Application Load Balancer
  • External proxy Network Load Balancer
  • External passthrough Network Load Balancer
  • Protocol forwarding
  • Public IP addresses (VMs)
Advanced network DDoS protection No Yes
Network edge security policies No Yes
Google Cloud Armor WAF Per policy, per rule, per request (see Pricing) Included with Paygo Included with Annual
Resource limits Up to quota limit Up to quota limit Up to quota limit
Time commitment N/A N/A One year
Named IP address lists
Threat Intelligence
Adaptive Protection Alerting only
DDoS attack visibility N/A
DDoS response support N/A (w/ Premium Support)
DDoS bill protection N/A

Subscribe to Managed Protection Plus

To use the additional services and capabilities in Managed Protection Plus, you must first enroll in Managed Protection Plus. You can subscribe to Managed Protection Plus Annual and enroll individual projects, or you can enroll a project directly in Managed Protection Plus Paygo.

We strongly recommend that you enroll your projects in Managed Protection Plus as soon as possible because activation can take up to 24 hours.

External Application Load Balancer and external proxy Network Load Balancer

After a project is enrolled in Managed Protection Plus, the forwarding rules within the project are added to the enrollment. In addition, all backend services and backend buckets are counted as protected resources and are metered for the Managed Protection protected resources cost. The backend services and backend buckets in Managed Protection Plus Annual are aggregated across all enrolled projects in a billing account, whereas the backend services and backend buckets in Managed Protection Plus Paygo are aggregated within the project.

External passthrough Network Load Balancer, protocol forwarding, and public IP addresses (VMs)

Google Cloud Armor offers the following options to protect these endpoints against DDoS attacks:

  • Standard network DDoS protection: basic always-on protection for external passthrough Network Load Balancers, protocol forwarding, or VMs with public IP addresses. This includes forwarding rule enforcement and automatic rate limiting. This is covered under Google Cloud Armor Standard and does not require any additional subscriptions.
  • Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers. Advanced network DDoS protection is configured on a per-region basis. When enabled for a particular region, Google Cloud Armor provides always-on volumetric attack detection and targeted mitigation for external passthrough Network Load Balancers, protocol forwarding, and VMs with public IP addresses in that region.

DDoS response support

Google Cloud Armor Managed Protection distributed denial-of-service (DDoS) response support requires your project to be enrolled in Managed Protection Plus Annual. Response support provides 24/7 help and potential custom mitigations from DDoS attacks from the same team that protects all Google services. You can engage response support during an attack to help mitigate the attack, or you can reach out proactively to plan for an upcoming high volume or potentially viral event (one which might attract an unusually high amount of visitors).

To engage DDoS response support, see Engaging DDoS response support.

DDoS bill protection

Google Cloud Armor DDoS bill protection requires your project to be enrolled in Managed Protection Plus Annual. It provides credits for future Google Cloud usage for some increases in the bills from Cloud Load Balancing, Google Cloud Armor, and network internet, inter-region, and inter-zone outbound data transfer as a result of a verified DDoS attack. If a claim is recognized and a credit is provided, the credit cannot be used to offset existing usage; the credit can only apply to future usage. The following table demonstrates what resources are covered by DDos bill protection:

Endpoint Type Covered Usage Increase
  • External Application Load Balancer
  • External proxy Network Load Balancer
Google Cloud Armor Managed Protection data processing fee
Network Outbound data transfer
Inter-region
Inter-zone
Carrier peering
Load balancer Inbound data processing fee
Outbound data processing fee
  • External passthrough Network Load Balancer
  • Protocol forwarding
  • Public IP addresses (VMs)
Google Cloud Armor Managed Protection data processing fee
Network Outbound data transfer
Inter-region
Inter-zone
Carrier peering
Load balancer Inbound data processing fee
Outbound data processing fee

To engage DDoS bill protection, see Engaging DDoS bill protection.

Downgrading from Managed Protection Plus

When you remove a project from Managed Protection Plus, any security policies that use rules with Managed Protection Plus-exclusive features (advanced rules) become frozen. Frozen security policies have the following properties:

  • Google Cloud Armor continues to evaluate traffic against rules in the policy, including any advanced rules.
  • You cannot attach the security policy to new targets.
  • You can only perform the following operations on the security policy:
    • You can delete security policy rules.
    • If you don't change the rule priority, you can update advanced rules so that they no longer use Managed Protection Plus-exclusive features. If you modify all advanced rules in this way, your policy is no longer frozen. For more information about updating security policy rules, see Update a single rule in a security policy.

You can also re-enroll in Managed Protection Plus Annual or Managed Protection Plus Paygo to restore access to your frozen security policies.

Advanced network DDoS protection

Advanced network DDoS protection is only availalable to projects enrolled in Managed Protection Plus. When you remove a project with an active advanced network DDoS policy from Managed Protection Plus, you are still billed for the feature based on Managed Protection Plus pricing.

We recommend that you delete any advanced network DDoS protection rules before you unenroll your project from Managed Protection Plus, but you can also delete advanced network DDoS protection rules after downgrading.

Terms and limitations

Managed Protection Plus has the following terms and limitations:

  • Generally: If a Project enrolled in Managed Protection Plus experiences a third-party denial of service attack on a protected endpoint ("Qualified Attack") and the conditions described in the next section are met, Google provides a credit equivalent to the Covered Fees, provided that the Covered Fees incurred exceed the Minimum Threshold. Load tests and security assessments performed by or on behalf of Customer are not Qualified Attacks.
  • Conditions: Customer must submit a request to Cloud Billing Support within 30 days after the end of the Qualified Attack. The request must include evidence of the Qualified Attack, such as logs or other telemetry indicating the timing of the attack and the Projects and resources that were attacked, and an estimate of the Covered Fees incurred. Google will reasonably determine whether credits are due and the appropriate amount. Other conditions for particular Google Cloud Armor features are included in the Documentation.
  • Credits: Any credits provided to Customer in connection with this Section have no cash value and can only be applied to offset future Fees for the Services. These credits expire 12 months after being issued or upon termination or expiration of the Agreement.
  • Definitions:
    • Covered Fees: Any Fees incurred by Customer as a direct result of the Qualified Attack for the following:
      • Ingress and outbound data processing for the Google Cloud Load Balancer Service.
      • Google Cloud Armor Managed Protection Plus data processing for the Google Cloud Armor Service.
      • Network egress, including inter-region, inter-zone, internet, and Carrier Peering egress.
    • Minimum Threshold: The minimum amount of Covered Fees that are eligible to be credited under this Section as determined by Google from time to time and disclosed to Customer on request.

What's next