Google Cloud Armor Managed Protection overview

Google Cloud Armor Managed Protection is the managed application protection service that helps protect your web applications and services from distributed denial-of-service (DDoS) attacks and other threats from the internet. Managed Protection helps protect applications deployed on Google Cloud, on-premises, or on other infrastructure providers.

Google Cloud Armor Standard versus Managed Protection Plus

Google Cloud Armor is offered in two service tiers, Standard and Managed Protection Plus:

  • Google Cloud Armor Standard includes a pay-as-you go pricing model, always-on protection from volumetric and protocol-based DDoS attacks across your globally load-balanced infrastructure, and access to Google Cloud Armor web application firewall (WAF) rule capabilities, including preconfigured WAF rules for OWASP Top 10 protection.

  • Managed Protection Plus includes a monthly subscription that includes all the features of Google Cloud Armor Standard, as well as bundled Google Cloud Armor WAF usage (including rules, policy, and HTTP(S) requests), third-party named IP address lists, and Adaptive Protection. Managed Protection Plus subscribers also get access to DDoS bill protection and DDoS response team services.

All projects that include HTTP(S) Load Balancing, TCP Proxy Load Balancing, or SSL Proxy Load Balancing are automatically enrolled in Google Cloud Armor Standard. After subscribing to Managed Protection Plus at the billing account level, users can choose to enroll individual projects attached to the billing account in Managed Protection Plus.

The following table summarizes the two service tiers.

Google Cloud Armor Standard Managed Protection Plus
Billing method Pay-as-you-go Monthly subscription + Data Processing Fee (see Pricing)
DDoS attack protection
  • HTTP(S) Load Balancing
  • TCP Proxy Load Balancing
  • SSL Proxy Load Balancing
  • HTTP(S) Load Balancing
  • TCP Proxy Load Balancing
  • SSL Proxy Load Balancing
Google Cloud Armor WAF Per policy, per rule, per request (see Pricing) Included with Plus subscription
Resource limits Up to quota limit Up to quota limit
Preconfigured WAF rules Yes Yes
Time commitment N/A One year
Named IP address lists No Yes
Managed Protection Preview only Yes
DDoS response support N/A Yes (w/ Premium Support)
DDoS bill protection N/A Yes

Subscribing to Managed Protection Plus

To use the additional services and capabilities in Managed Protection Plus, you must first subscribe to Managed Protection Plus. After your Managed Protection Plus subscription is activated for the billing account, you must then enroll individual projects in Managed Protection Plus.

After a project is enrolled in Managed Protection Plus, the forwarding rules for HTTP(S) Load Balancing, SSL Proxy Load Balancing, and TCP Proxy Load Balancing within the project are added to the subscription. In addition, all backend services served by those forwarding rules are counted as protected resources and are metered for the Managed Protection Plus monthly subscription cost. The backend services in Managed Protection Plus are aggregated across all enrolled projects in a billing account.

DDoS response support

Google Cloud Armor Managed Protection distributed denial-of-service (DDoS) response support lets you receive 24/7 help and potential custom mitigations from DDoS attacks from the same team that protects all Google services. You can engage DDoS support during an attack to help mitigate the attack, or you can reach out proactively to plan for an upcoming high volume or potentially viral event (one which might attract an unusually high amount of visitors).

To engage DDoS response support, see Engaging DDoS response support.

DDoS bill protection

Google Cloud Armor DDoS bill protection provides credits for future Google Cloud usage for some increases in the bills from Cloud Load Balancing, Google Cloud Armor, and network internet, inter-region, and inter-zone egress as a result of a verified DDoS attack. If a claim is recognized and a credit is provided, the credit cannot be used to offset existing usage; the credit can only apply to future usage. The following table demonstrates what resources are covered by DDos bill protection:

Endpoint Type Covered Usage Increase
External HTTP(S) Load Balancing, external TCP Proxy Load Balancing, external SSL Proxy Load Balancing Cloud Load Balancing
  • Ingress Data Processing Fee
  • HTTP(S) Load Balancing Request Logging
Google Cloud Armor
  • Managed Protection data processing fee
Network egress
  • Inter-region, inter-zone egress
  • Internet egress
  • Carrier peering egress

To engage DDoS bill protection, see Engaging DDoS bill protection.

Terms and limitations

DDoS bill protection Credit is subject to the terms below:

Google Cloud Armor - Managed Protection Plus

  1. Generally. If a Project enrolled in Managed Protection Plus experiences a third-party denial of service attack on a protected endpoint ("Qualified Attack") and the conditions below are met, Google will provide a credit equivalent to the Covered Fees provided that the Covered Fees incurred exceed the Minimum Threshold. Load tests and security assessments performed by or on behalf of Customer are not Qualified Attacks.
  2. Conditions. Customer must submit a request to Cloud Billing Support within 30 days after the end of the Qualified Attack. The request must include evidence of the Qualified Attack, such as logs or other telemetry indicating the timing of the attack and the Projects and resources that were attacked, and an estimate of the Covered Fees incurred. Google will reasonably determine whether credits are due and the appropriate amount.
  3. Credits. Any credits provided to Customer in connection with this section have no cash value and can only be applied to offset future Fees for Google Cloud Services. These credits will expire within 12 months of being issued or upon termination or expiration of the Agreement.
  4. Definitions. "Covered Fees" means any Fees incurred by Customer as a direct result of the Qualified Attack for:
    1. Ingress data processing for the Google Cloud Load Balancer Service;
    2. Managed Protection Plus data processing fee for the Google Cloud Armor Service; and
    3. Network egress, including inter-region, inter-zone, internet, and carrier peering egress
  5. "Minimum Threshold" means the minimum amount of Covered Fees that are eligible to be credited under this Section as determined by Google from time to time and disclosed to Customer on request.

What's next