This guide provides instructions for using Google Cloud Armor Managed Protection Plus tier. For more information about Managed Protection, see the Google Cloud Armor Managed Protection overview.
Google Cloud Armor Managed Protection Plus tier is currently available as a beta release. To use Managed Protection Plus tier, complete these steps:
- Subscribe your billing account to Plus tier.
- Enroll projects in Plus tier.
Required IAM permissions
To subscribe a billing account to Plus tier or to toggle the auto-renew setting
of the subscription, you must be a user with the Identity and Access Management (IAM)
permission billing.accounts.update for the billing account that is being
subscribed.
To enroll a project into the Plus tier subscription, you must have the following IAM permissions for the currently selected project that you are enrolling in Managed Protection Plus tier:
resourcemanager.projects.createBillingAssignmentresourcemanager.projects.update
To learn more about billing permissions, see Overview of Cloud Billing access control.
Subscribing to Plus tier and enrolling projects
To subscribe to Plus tier and enroll the current project, follow these steps:
Console
In the Google Cloud Console, go to the Network Security page.
Click Cloud Armor.
Click Managed Protection. If your Plus tier subscription is active, then the billing account is already subscribed.
Click Enroll in Plus tier. You see a confirming dialog box.
To enroll the current project, ensure that the Enroll current project checkbox is selected.
To confirm your subscription, click Subscribe. Otherwise, click Cancel.
To enroll additional projects, follow these steps:
Console
- When you are signed in to the subscribed billing account, go to an additional project that you want to enroll.
In the Cloud Console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Under Plus tier, click Change to Plus tier.
Removing a project from Plus tier
To remove a project from Plus tier, follow these steps:
Console
- When you are signed in to the subscribed billing account, go to the project that you want to remove from Plus tier.
In the Cloud Console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Under Standard tier (default), click Change to Standard tier.
Unsubscribing a billing account from Plus tier
A Plus tier subscription is a one-year commitment that is renewed automatically. To unsubscribe a billing account from Plus tier, you disable automatic renewal. When you reach the end of the current one-year subscription period, your Plus tier subscription is not renewed and all projects in the billing account revert to Standard tier.
To cancel Plus tier auto-renewal, follow these steps:
Console
When you are signed in to the subscribed billing account, in the Cloud Console, go to the Network Security page.
Click Cloud Armor, and then click Managed Protection.
Click Auto-Renew (off). Your Managed Protection Plus tier subscription is not renewed when your current subscription expires. At that time, projects enrolled in Plus tier are no longer enrolled. They still receive the DDoS protection provided in Standard tier.
You can resubscribe a billing account to Plus tier at any time. If you do so, you must also re-enroll projects for which you want to receive the Plus tier protections.
Troubleshooting Managed Protection
This section provides information to help you resolve any issues with Managed Protection.
You subscribed to Plus tier, but your bills are pay-as-you-go
If you subscribed to Plus tier and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Plus tier.
The Subscribe button is unavailable
If you are unable to subscribe to Managed Protection Plus tier because the
Subscribe button is unavailable, do the following:
- Ensure that the user who is trying to subscribe has sufficient
IAM permissions:
- The user must have
billing.accounts.updatepermissions for subscribing at the billing account level. - The user must have
resourcemanager.projects.createBillingAssignmentandresourcemanager.projects.updatefor enrolling individual projects into or out of the Plus tier.
- The user must have
Unable to subscribe or enroll projects in Managed Protection programmatically
Managed Protection is offered only through the Cloud Console
interface. The gcloud command-line tool and REST API are not supported.
Determining the number of backend services covered by a subscription
Each project that is enrolled in a Plus tier subscription shows the number of backend services covered, under the Managed Protection tab on the Google Cloud Armor page. The number you see is aggregated across all projects under the billing account; it is the total number of backend services covered by the subscription.
If the project is enrolled in Standard tier, which is the default tier, this count is not displayed.
Billing discrepancies
If these troubleshooting tips do not resolve any problems, contact the Google Cloud support team.