This guide provides instructions for using Google Cloud Armor Managed Protection Plus. For more information about Managed Protection, see the Google Cloud Armor Managed Protection overview.
To switch to Managed Protection Plus, complete these steps:
- Subscribe your billing account to the Managed Protection Plus tier.
- Enroll individual projects in the Managed Protection Plus subscription.
Required IAM permissions
To subscribe a billing account to Managed Protection Plus or to toggle the
auto-renew setting of the subscription, you must be a user with the
Identity and Access Management (IAM) permission billing.accounts.update for the billing
account that is being subscribed.
To enroll a project into the Managed Protection Plus subscription, you must have the following IAM permissions for the currently selected project that you are enrolling in Managed Protection Plus:
resourcemanager.projects.createBillingAssignmentresourcemanager.projects.update
To learn more about billing permissions, see Overview of Cloud Billing access control.
Subscribing to Managed Protection Plus and enrolling projects
To subscribe to Managed Protection Plus and enroll the current project, follow these steps.
Console
In the Google Cloud console, go to the Network Security page.
Click Cloud Armor.
Click Managed Protection. If your Plus tier subscription is active, then the billing account is already subscribed.
Click Enroll in Plus tier. You see a confirming dialog box.
To enroll the current project, ensure that the Enroll current project checkbox is selected.
To confirm your subscription, click Subscribe. Otherwise, click Cancel.
We strongly recommend that you enroll your projects in Managed Protection Plus as soon as possible because activation can take up to 24 hours. During this period, you can continue to enroll projects.
To enroll additional projects, follow these steps.
Console
- When you are signed in to the subscribed billing account, go to an additional project that you want to enroll.
In the Google Cloud console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Under Plus tier, click Change to Plus tier.
Removing a project from Managed Protection Plus
To unenroll a project from Managed Protection Plus, follow these steps.
Console
- When you are signed in to the subscribed billing account, go to the project that you want to remove from Plus tier.
In the Google Cloud console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Under Standard tier (default), click Change to Standard tier.
Unsubscribing a billing account from Managed Protection Plus
A Managed Protection Plus subscription is a one-year commitment that is renewed automatically. To prevent renewal at the end of the one-year term, you must disable automatic renewal. After automatic renewal is disabled, when you reach the end of the current one-year subscription period, your Managed Protection Plus subscription is not renewed, and all projects in the billing account revert to Managed Protection Standard.
To cancel Managed Protection Plus auto-renewal, follow these steps.
Console
When you are signed in to the subscribed billing account, in the Google Cloud console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Click Auto-Renew (off). Your Managed Protection Plus subscription is not renewed when your current subscription expires. At that time, projects enrolled in Managed Protection Plus are no longer enrolled. They still receive the DDoS protection provided in Managed Protection Standard.
You can resubscribe a billing account to Managed Protection Plus at any time. If you do so, you must also re-enroll projects for which you want to benefit from the Managed Protection Plus pricing models and additional capabilities.
Engaging DDoS response support
The following are the qualification criteria in order to open a case and receive help from the Google Cloud Armor DDoS response support team:
- An active Managed Protection Plus subscription on your billing account
- The project with the workload that is under attack must be enrolled into the Managed Protection Plus
- The billing account must have a Premium account for Cloud Support
Opening a case
To engage DDoS Response support, you open a support case through the Google Cloud console. If you meet the eligibility requirements, your case will be escalated to the Google Cloud Armor DDoS Response Team for support, triage, and potential mitigation.
To open a DDoS Response Case, complete the following steps:
- Navigate to the Support Page in the Google Cloud console.
Go to the Support page - Select the project for which you would like to open a DDoS Response case.
- Select Cases.
- Click Create Case.
- Specify that the case is a DDoS Response case.
- Complete the required fields and submit the form.
Engaging DDoS Bill Protection
To file a claim for DDoS Bill Protection, you must prepare the following information:
- The billing account associated with the targeted project.
- The project number of the project containing the targeted resource.
- The internet-facing IP address of the targeted resource.
- The time that the attack started.
- The time that the attack concluded.
- Normal traffic volumes for the impacted service.
- Attack volumes for the impacted service.
You can initiate a chat or contact billing support through the Google Cloud console. For more information on contacting Cloud Billing Support, see How to contact Cloud Billing Support.
Using Threat Intelligence
To use
Threat Intelligence, you
configure a security policy using the evaluateThreatIntelligence match
expression, providing a feed name based on the category that you want to
allow or block. If Threat Intelligence incorrectly blocks an IP address, you can
add the IP address to the exclusion list to allow traffic.
Troubleshooting Managed Protection
This section provides information to help you resolve any issues with Managed Protection.
You subscribed to Managed Protection Plus, but your bill continues to be pay-as-you-go
If you subscribed to Managed Protection Plus and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Managed Protection Plus.
The Subscribe button is unavailable
If you are unable to subscribe to Managed Protection Plus because the
Subscribe button is unavailable, do the following:
- Ensure that the user who is trying to subscribe has sufficient
IAM permissions:
- The user must have
billing.accounts.updatepermissions for subscribing at the billing account level. - The user must have
resourcemanager.projects.createBillingAssignmentandresourcemanager.projects.updatefor enrolling individual projects into or out of the Plus tier.
- The user must have
Unable to subscribe or enroll projects in Managed Protection programmatically
Subscription and enrollment in Managed Protection Plus is offered only through the Google Cloud console interface. The Google Cloud CLI and REST API are not supported.
Determining the number of backend services and backend buckets covered by a subscription
Each project that is enrolled in Managed Protection Plus shows the number of backend services and backend buckets covered, under the Managed Protection tab on the Google Cloud Armor page. The number that you see is aggregated across all projects under the billing account that is enrolled into the subscription; it is the total number of backend services and backend buckets covered by the subscription.
If the project is enrolled in Managed Protection Standard, which is the default tier, this count is not displayed.
Billing discrepancies
If these troubleshooting tips do not resolve the problems that you are experiencing, contact the Google Cloud billing support team.