Using Google Cloud Armor Managed Protection

This guide provides instructions for using Google Cloud Armor Managed Protection Plus tier. For more information about Managed Protection, see the Google Cloud Armor Managed Protection overview.

Google Cloud Armor Managed Protection Plus tier is currently available as a beta release on a limited-access basis. To use Managed Protection Plus tier, complete these steps:

  1. Request access: fill out the Managed Protection Plus tier sign-up form.
  2. Subscribe your billing account to Plus tier.
  3. Enroll projects in Plus tier.

Required IAM permissions

To subscribe to Plus tier, you must use an account with the Identity and Access Management (IAM) permission billing.accounts.update.

To enroll a project into the Plus tier subscription, you must have the following IAM permissions:

  • resourcemanager.projects.createBillingAssignment
  • resourcemanager.projects.update

Subscribing to Plus tier and enrolling projects

To subscribe to Plus tier and enroll the current project, follow these steps:

Console

  1. In the Google Cloud Console, go to the Network Security page.

    Go to the Network Security page

  2. Click Cloud Armor.

  3. Click Managed Protection. If your Plus tier subscription is active, then the billing account is already subscribed.

  4. Click Enroll in Plus tier. You see a confirming dialog box.

  5. To enroll the current project, ensure that the Enroll current project checkbox is selected.

  6. To confirm your subscription, click Subscribe. Otherwise, click Cancel.

To enroll additional projects, follow these steps:

Console

  1. When you are signed in to the subscribed billing account, go to an additional project that you want to enroll.
  2. In the Cloud Console, go to the Network Security page.

    Go to the Network Security page

  3. Click Cloud Armor, and then click Managed Protection.

  4. Under Plus tier, click Change to Plus tier.

Removing a project from Plus tier

To remove a project from Plus tier, follow these steps:

Console

  1. When you are signed in to the subscribed billing account, go to the project that you want to remove from Plus tier.
  2. In the Cloud Console, go to the Network Security page.

    Go to the Network Security page

  3. Click Cloud Armor, and then click Managed Protection.

  4. Under Standard tier (default), click Change to Standard tier.

Unsubscribing a billing account from Plus tier

A Plus tier subscription is a one-year commitment that is renewed automatically. To unsubscribe a billing account from Plus tier, you disable automatic renewal. When you reach the end of the current one-year subscription period, your Plus tier subscription is not renewed and all projects in the billing account revert to Standard tier.

To cancel Plus tier auto-renewal, follow these steps:

Console

  1. When you are signed in to the subscribed billing account, in the Cloud Console, go to the Network Security page.

    Go to the Network Security page

  2. Click Cloud Armor, and then click Managed Protection.

  3. Click Auto-Renew (off). Your Managed Protection Plus tier subscription is not renewed when your current subscription expires. At that time, projects enrolled in Plus tier are no longer enrolled. They still receive the DDoS protection provided in Standard tier.

You can resubscribe a billing account to Plus tier at any time. If you do so, you must also re-enroll projects for which you want to receive the Plus tier protections.

Troubleshooting Managed Protection

This section provides information to help you resolve any issues with Managed Protection.

You subscribed to Plus tier, but your bills are pay-as-you-go

If you subscribed to Plus tier and you are still being billed on a pay-as-you-go basis, check whether you enrolled your projects in Plus tier.

The Subscribe button is unavailable

If you are unable to subscribe to Managed Protection Plus tier because the Subscribe button is unavailable, do the following:

  • Managed Protection is launched as a private beta. Check to make sure that you have access to the private beta. If you do not have access to the private Beta, to request access, complete this form.
  • Ensure that the user who is trying to subscribe has sufficient IAM permissions:
    • The user must have billing.accounts.update permissions for subscribing at the billing account level.
    • The user must have resourcemanager.projects.createBillingAssignment and resourcemanager.projects.update for enrolling individual projects into or out of the Plus tier.

Unable to subscribe or enroll projects in Managed Protection programmatically

Managed Protection is offered only through the Cloud Console interface. The gcloud command-line tool and REST API are not supported.

Determining the number of backend services covered by a subscription

Each project that is enrolled in a Plus tier subscription shows the number of backend services covered, under the Managed Protection tab on the Google Cloud Armor page. The number you see is aggregated across all projects under the billing account; it is the total number of backend services covered by the subscription.

If the project is enrolled in Standard tier, which is the default tier, this count is not displayed.

Billing discrepancies

If these troubleshooting tips do not resolve any problems, contact the Google Cloud support team.

What's next