Google Cloud Armor Managed Protection is the managed application protection service that helps protect your web applications and services from distributed denial-of-service (DDoS) attacks and other threats from the internet. Managed Protection helps protect applications deployed on Google Cloud, on-premises, or on other infrastructure providers.
Standard tier versus Plus tier
Managed Protection is offered in two service tiers, Standard and Plus:
Standard tier includes a pay-as-you go pricing model, always-on protection from volumetric and protocol-based DDoS attacks across your globally load-balanced infrastructure, and access to Google Cloud Armor web application firewall (WAF) rule capabilities, including preconfigured WAF rules for OWASP Top 10 protection.
Plus tier includes a monthly subscription that includes all the features of Standard tier, as well as bundled Google Cloud Armor WAF usage (including rules, policy, and HTTP(S) requests), third-party named IP address lists, and Adaptive Protection.
All projects that include HTTP(S) Load Balancing, TCP Proxy Load Balancing, or SSL Proxy Load Balancing are automatically enrolled in Managed Protection Standard. After subscribing to Managed Protection Plus at the billing account level, users can choose to enroll individual projects attached to the billing account in Managed Protection Plus.
The following table summarizes the two service tiers.
|Standard tier||Plus tier|
|Billing method||Pay-as-you-go||Monthly subscription + Data Processing Fee (see Pricing)|
|DDoS attack protection||
||Google Cloud Armor WAF||Per policy, per rule, per request (see Pricing)||Included with Plus subscription|
|Resource limits||Up to quota limit||Up to quota limit|
|Preconfigured WAF rules||Yes||Yes|
|Time commitment||N/A||One year|
|Named IP address lists||No||Yes|
|Adaptive Protection||Preview only||Yes|
|DDoS response support||N/A||Yes (w/ Premium Support)|
|DDoS bill protection||N/A||Yes|
Subscribing to Managed Protection Plus
To use the additional services and capabilities in Managed Protection Plus, you must first subscribe to Managed Protection Plus. After your Managed Protection Plus subscription is activated for the billing account, you must then enroll individual projects in Managed Protection Plus.
After a project is enrolled in Managed Protection Plus, the forwarding rules for HTTP(S) Load Balancing, SSL Proxy Load Balancing, and TCP Proxy Load Balancing within the project are added to the subscription. In addition, all backend services served by those forwarding rules are counted as protected resources and are metered for the Managed Protection Plus monthly subscription cost. The backend services in Managed Protection Plus are aggregated across all enrolled projects in a billing account.
DDoS response support
Google Cloud Armor Managed Protection distributed denial-of-service (DDoS) response support lets you receive 24/7 help and potential custom mitigations from DDoS attacks from the same team that protects all Google services. You can engage DDoS support during an attack to help mitigate the attack, or you can reach out proactively to plan for an upcoming high volume or potentially viral event (one which might attract an unusually high amount of visitors).
To engage DDoS response support, see Engaging DDoS response support.
DDoS bill protection
Google Cloud Armor DDoS bill protection provides credits for future Google Cloud usage for some increases in the bills from Cloud Load Balancing, Google Cloud Armor, and network internet, inter-region, and inter-zone egress as a result of a verified DDoS attack. If a claim is recognized and a credit is provided, the credit cannot be used to offset existing usage; the credit can only apply to future usage. The following table demonstrates what resources are covered by DDos bill protection:
|Endpoint Type||Covered Usage Increase|
|External HTTP(S) Load Balancing, external TCP Proxy Load Balancing, external SSL Proxy Load Balancing||Cloud Load Balancing
|Google Cloud Armor
To engage DDoS bill protection, see Engaging DDoS bill protection.
Terms and limitations
DDoS bill protection Credit is subject to the terms below:
Google Cloud Armor - Managed Protection Plus
- Generally. If a Project enrolled in Managed Protection Plus experiences a third-party denial of service attack on a protected endpoint ("Qualified Attack") and the conditions below are met, Google will provide a credit equivalent to the Covered Fees provided that the Covered Fees incurred exceed the Minimum Threshold. Load tests and security assessments performed by or on behalf of Customer are not Qualified Attacks.
- Conditions. Customer must submit a request to Cloud Billing Support within 30 days after the end of the Qualified Attack. The request must include evidence of the Qualified Attack, such as logs or other telemetry indicating the timing of the attack and the Projects and resources that were attacked, and an estimate of the Covered Fees incurred. Google will reasonably determine whether credits are due and the appropriate amount.
- Credits. Any credits provided to Customer in connection with this section have no cash value and can only be applied to offset future Fees for Google Cloud Services. These credits will expire within 12 months of being issued or upon termination or expiration of the Agreement.
- Definitions. "Covered Fees" means any Fees incurred by Customer as
a direct result of the Qualified Attack for:
- Ingress data processing for the Google Cloud Load Balancer Service;
- Managed Protection Plus data processing fee for the Google Cloud Armor Service; and
- Network egress, including inter-region, inter-zone, internet, and carrier peering egress
"Minimum Threshold" means the minimum amount of Covered Fees that are eligible to be credited under this Section as determined by Google from time to time and disclosed to Customer on request.
- Subscribe and enroll projects in Managed Protection Plus
- Troubleshoot issues
- Use the custom rules language reference