Use Google Cloud Armor Managed Protection

This guide provides instructions for using Google Cloud Armor Managed Protection Plus. For more information about Managed Protection, see the Google Cloud Armor Managed Protection overview.

Required IAM permissions

To subscribe a billing account to Managed Protection Plus or to toggle the auto-renew setting of the subscription, you must be a user with the Identity and Access Management (IAM) permission billing.accounts.update for the billing account that is being subscribed.

To enroll a project into the Managed Protection Plus subscription, you must have the following IAM permissions for the currently selected project that you are enrolling in Managed Protection Plus:

  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.update

To learn more about billing permissions, see Overview of Cloud Billing access control.

Subscribe to Managed Protection Plus and enroll projects

To subscribe to Managed Protection Plus and enroll the current project, follow these steps. The enrollment paths for Managed Protection Plus Annual and Managed Protection Plus Paygo are not the same, and some paths are exclusive to the Google Cloud console or to the Google Cloud CLI.

Console

Subscribe to Managed Protection Plus Annual

  1. In the Google Cloud console, go to the Managed Protection page. If your Plus tier subscription is active, then the billing account is already subscribed.

    Go to Managed Protection

  2. Click Subscribe and enroll in the Plus Annual pane. You see a confirmation dialog.

Enroll in Managed Protection Plus Paygo

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. Click Enroll in the Plus Paygo pane.

gcloud

Subscribe to Managed Protection Plus Annual

Enroll in Managed Protection Plus Paygo

To enroll the current project in Managed Protection Plus Paygo, use the following gcloud command:

gcloud compute project-info update --managed-protection-tier CAMP_PLUS_PAYGO

We strongly recommend that you enroll your projects in Managed Protection Plus as soon as possible because activation can take up to 24 hours. During this period, you can continue to enroll projects.

To enroll additional projects, follow these steps.

Console

Enroll additional projects in Managed Protection Plus Annual

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. In the Plus Annual pane, click Enroll.

Enroll additional projects in Managed Protection Plus Paygo

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. In the Plus Paygo pane, click Enroll.

gcloud

Enroll additional projects in Managed Protection Plus Annual

Enroll additional projects in Managed Protection Plus Paygo

Use the following command to enroll a project in Managed Protection Plus Paygo:

gcloud compute project-info update --managed-protection-tier CAMP_PLUS_PAYGO

Remove a project from Managed Protection Plus

Before you remove your project from Managed Protection Plus, we recommend that you familiarize yourself with Downgrading from Managed Protection Plus. After you unenroll a project from Managed Protection Plus, up to twelve hours might elapse before the change takes effect. You can continue to unenroll (or enroll) other projects during this period.

To unenroll a project from Managed Protection Plus, follow these steps.

Console

Unenroll a project from Managed Protection Plus Annual

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. In the Standard pane, click Enroll.

Unenroll a project from Managed Protection Plus Paygo

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. In the Standard pane, click Enroll.

gcloud

Unenroll a project from Managed Protection Plus Annual

You cannot unenroll a project from Managed Protection Plus Annual using the Google Cloud CLI. You must use the Google Cloud console instead.

Unenroll a project from Managed Protection Plus Paygo

gcloud compute project-info update --managed-protection-tier CA_STANDARD

View or change your enrollment tier

Use the following sections to view your current Managed Protection enrollment tier, to change your enrollment from Managed Protection Plus Annual to Managed Protection Plus Paygo, or to change your enrollment from Managed Protection Plus Paygo to Managed Protection Plus Annual.

View current Managed Protection enrollment tier

Use these instructions to view your current Managed Protection enrollment tier.

Console

  1. In the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. You see the available Managed Protection service tiers, including Managed Protection Plus Paygo and Managed Protection Plus Paygo. Your current Managed Protection enrollment tier is highlighted, and has the status "Enrolled" in the Project field.

gcloud

To view your current Managed Protection enrollment tier use the following gcloud command:

gcloud compute project-info describe

View the number of backend services and backend buckets covered by an enrollment

Each project that is enrolled in Managed Protection Plus shows the number of backend services and backend buckets covered on the Managed Protection page. The number that you see is the total number of backend services and backend buckets covered by the enrollment.

If the project is enrolled in Managed Protection Standard, which is the default tier, this count is not displayed.

Change enrollment from Managed Protection Plus Annual to Managed Protection Plus Paygo

Follow these steps to change your enrollment from Managed Protection Plus Annual to Managed Protection Plus Paygo:

  1. Unenroll your project from Managed Protection Plus Annual.
  2. Enroll in Managed Protection Plus Paygo.

Change enrollment from Managed Protection Plus Paygo to Managed Protection Plus Annual

Follow these steps to change your enrollment from Managed Protection Paygo to Managed Protection Plus Annual:

  1. Unenroll your project from Managed Protection Plus Paygo.
  2. Enroll in Managed Protection Plus Annual.

Unsubscribe a billing account from Managed Protection Plus Annual

A Managed Protection Plus Annual subscription is a one-year commitment that is renewed automatically. To prevent renewal at the end of the one-year term, you must disable automatic renewal. After automatic renewal is disabled, when you reach the end of the current one-year subscription period, your Managed Protection Plus Annual subscription is not renewed, and all projects in the billing account that are enrolled to Managed Protection Plus Annual revert to Managed Protection Standard.

To cancel Managed Protection Plus Annual auto-renewal, follow these steps.

Console

  1. When you are signed in to the subscribed billing account, in the Google Cloud console, go to the Managed Protection page.

    Go to Managed Protection

  2. Click Auto-Renew (off). Your Managed Protection Plus subscription is not renewed when your current subscription expires. At that time, projects enrolled in Managed Protection Plus are no longer enrolled. They still receive the DDoS protection provided in Managed Protection Standard.

You can resubscribe a billing account to Managed Protection Plus Annual at any time. If you do so, you must also re-enroll projects for which you want to benefit from the Managed Protection Plus pricing models and additional capabilities.

Engage DDoS response support

The following are the qualification criteria in order to open a case and receive help from the Google Cloud Armor DDoS response support team:

  • An active Managed Protection Plus Annual subscription on your billing account
  • The project with the workload that is under attack must be enrolled in Managed Protection Plus Annual.
  • The billing account must have a Premium account for Cloud Customer Care.

Open a case

To engage DDoS response support, you open a support case through the Google Cloud console. If you meet the eligibility requirements, your case is escalated to the Google Cloud Armor DDoS Response Team for support, triage, and potential mitigation.

To open a DDoS response case, complete the following steps:

  1. In the Google Cloud console, go to the Support page.

    Go to Support

  2. Select the project for which you would like to open a DDoS Response case.

  3. Select Cases.

  4. Click Create Case.

  5. Specify that the case is a DDoS Response case.

  6. Complete the required fields and submit the form.

Engage DDoS bill protection

To file a claim for DDoS Bill Protection, your project must be enrolled in Managed Protection Plus Annual, and you must prepare the following information:

  • The billing account associated with the targeted project.
  • The project number of the project containing the targeted resource.
  • The internet-facing IP address of the targeted resource.
  • The time that the attack started.
  • The time that the attack concluded.
  • Normal traffic volumes for the impacted service.
  • Attack volumes for the impacted service.

You can initiate a chat or contact billing support through the Google Cloud console. For more information on contacting Cloud Billing Support, see How to contact Cloud Billing Support.

Cross-project referencing requirements

If you use cross-project service referencing and you want to take advantage of the Managed Protection Plus pricing, both the frontend and backend service projects must be enrolled in Managed Protection Plus Annual.

Qualified Attacks

For external passthrough Network Load Balancers, protocol forwarding, and public IP addresses (VMs), an attack is considered a Qualified Attack (as described in the Google Cloud services summary) only if advanced DDoS protection was already enabled for the region with the attacked endpoint at the start of the attack.

Use Threat Intelligence

To use Threat Intelligence, you configure a security policy using the evaluateThreatIntelligence match expression, providing a feed name based on the category that you want to allow or block. If Threat Intelligence incorrectly blocks an IP address, you can add the IP address to the exclusion list to allow traffic.

Troubleshooting Managed Protection

This section provides information to help you resolve any issues with Managed Protection.

You subscribed to Managed Protection Plus Annual, but your bill continues to be pay-as-you-go

If you subscribed to Managed Protection Plus and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Managed Protection Plus.

The Subscribe button is unavailable

If you are unable to subscribe to Managed Protection Plus Annual because the Subscribe button is unavailable, do the following:

  • Ensure that the user who is trying to subscribe has sufficient IAM permissions:
    • The user must have billing.accounts.update permissions for subscribing at the billing account level.
    • The user must have resourcemanager.projects.createBillingAssignment and resourcemanager.projects.update for enrolling individual projects into or out of the Plus tier.

Billing discrepancies

If these troubleshooting tips do not resolve the problems that you are experiencing, contact the Google Cloud billing support team.

What's next