Cloud Armor

Help protect your applications and websites against denial of service and web attacks.

Try Google Cloud free
  • action/check_circle_24px Created with Sketch.

    Benefit from DDoS protection and WAF at Google-scale

  • action/check_circle_24px Created with Sketch.

    Detect and mitigate attacks against your Cloud Load Balancing workloads

  • action/check_circle_24px Created with Sketch.

    Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud

Enterprise-grade DDoS defense

Cloud Armor benefits from our experience of protecting key internet properties such as Google Search, Gmail, and YouTube. It provides built-in defenses against L3 and L4 DDoS attacks.

Mitigate OWASP Top 10 risks

Cloud Armor provides predefined rules to help defend against attacks such as cross-site scripting (XSS) and SQL injection (SQLi) attacks.

Flexible custom rules language

Google Cloud Armor’s flexible rules language enables you to customize your defenses and mitigate web attacks by deploying custom application firewall rules.

Key features

IP-based and geo-based access control

Filter your incoming traffic based on IPv4 and IPv6 addresses or CIDRs. Enforce geography based access controls to allow or deny traffic based on source geo using Google’s geoIP mapping.

Support for hybrid and multi-cloud deployments

Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.

Visibility and monitoring

Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.

View all features

Customers

Evernote logo
Evernote migrates to Google Cloud’s more scalable and secure infrastructure.
Read the story

Story highlights

  • Moved 5 billion user notes into Google Cloud in only 70 days

  • Improved performance, uptime, and security

  • Cloud Armor provides a rich layer of security control

Partner

What's new

Sign up for Google Cloud newsletters to receive product updates, event information, special offers, and more.

Documentation

Tutorial
Hands-on Lab: HTTP Load Balancer with Cloud Armor

Learn how to configure an HTTP Load Balancer with global backends, stress test the Load Balancer, and blacklist the stress test IP.

Tutorial
Configuring Google Cloud Armor security policies

Use these instructions to filter incoming traffic to HTTP(S) Load Balancing by creating Google Cloud Armor security policies.

Google Cloud Basics
Google Cloud Armor security policy overview

Use Google Cloud Armor security policies to help protect your load-balanced applications from Distributed Denial of Service (DDoS) and other web-based attacks.

Tutorial
Monitoring Google Cloud Armor security policies

Learn how Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring to see if they are working as intended or troubleshoot issues.

Tutorial
Google Cloud Armor audit logging information

This page describes the audit logs created by Google Cloud Armor as part of Cloud Audit Logs.

Google Cloud Basics
Configuring Google Cloud Armor through GKE Ingress

Learn how to use a BackendConfig custom resource to configure Google Cloud Armor in Google Kubernetes Engine (GKE).

All features

Pre-defined WAF rules to mitigate OWASP Top 10 risks Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection.
Rich rules language for Web Application Firewall Create custom rules using any combination of L3–L7 parameters and geolocation to help protect your deployment with a flexible rules language.
Visibility and monitoring Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.
Logging Get visibility into Cloud Armor decisions as well as the implicated policies and rules on a per-request basis via Cloud Logging.
Preview mode Deploy Cloud Armor rules in preview mode to understand rule efficacy and impact on production traffic before enabling active enforcement.
Policy framework with rules Configure one or more security policies with a hierarchy of rules. Apply a policy at varying levels of granularity to one or many workloads.
IP-based and geo-based access control Filter your incoming traffic based on IPv4 and IPv6 addresses or CIDRs. Identify and enforce access control based on geographic location of incoming traffic.
Support for hybrid and multi-cloud deployments Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.

Pricing

Cloud Armor charges for security policies, rules within that policy, as well as for well-formed L7 requests that are evaluated by a security policy.

*Promotion: Until July 31, 2020, your queries-per-month charges across all projects in a billing account are capped at US$3,000.

Google Cloud Armor Pricing (USD)
Policy charge $5 per Google Cloud Armor policy per month
Per rule charge $1 per rule per policy per month
Incoming requests charge $0.75 per million HTTP(S) requests

If a backend service has a Google Cloud Armor security policy associated with it, you can use the user-defined request headers feature with that backend service without any additional charge for the user-defined request headers feature.

If you pay in a currency other than USD, the prices listed in your currency on Google Coud SKUs apply.