Benefit from DDoS protection and WAF at Google scale
Detect and mitigate attacks against your Cloud Load Balancing workloads
Mitigate OWASP Top 10 risks and help protect workloads on-premises or in the cloud
Introducing a subscription for Cloud Armor Managed Protection Plus, now in Public Preview
Enterprise-grade DDoS defense
Cloud Armor benefits from our experience of protecting key internet properties such as Google Search, Gmail, and YouTube. It provides built-in defenses against L3 and L4 DDoS attacks.
Mitigate OWASP Top 10 risks
Cloud Armor provides predefined rules to help defend against attacks such as cross-site scripting (XSS) and SQL injection (SQLi) attacks.
With Cloud Armor Managed Protection Plus tier, you will get access to DDoS and WAF services, curated rule sets, and other services for a predictable monthly price. Learn more.
IP-based and geo-based access control
Filter your incoming traffic based on IPv4 and IPv6 addresses or CIDRs. Enforce geography-based access controls to allow or deny traffic based on source geo using Google’s geoIP mapping.
Support for hybrid and multi-cloud deployments
Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.
Visibility and monitoring
Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.
Pre-configured WAF rules
Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection. RFI, LFI, and RCE rules are also available in beta. Learn more in our WAF rules guide.
Named IP Lists
Allow or deny traffic through a Cloud Armor security policy based on a curated Named IP List (beta).
Learn from customers using Cloud Armor
Sign up for Google Cloud newsletters to receive product updates, event information, special offers, and more.
Hands-on lab: HTTP load balancer with Cloud Armor
Learn how to configure an HTTP load balancer with global back ends, stress test the load balancer, and denylist the stress test IP.
Configuring Google Cloud Armor security policies
Use these instructions to filter incoming traffic to HTTP(S) load balancing by creating Google Cloud Armor security policies.
Google Cloud Armor security policy overview
Use Google Cloud Armor security policies to help protect your load-balanced applications from distributed denial of service (DDoS) and other web-based attacks.
Monitoring Google Cloud Armor security policies
Learn how Google Cloud Armor exports monitoring data from security policies to Cloud Monitoring to see if they are working as intended or troubleshoot issues.
Google Cloud Armor audit logging information
This page describes the audit logs created by Google Cloud Armor as part of Cloud Audit Logs.
Configuring Google Cloud Armor through GKE Ingress
Learn how to use a BackendConfig custom resource to configure Google Cloud Armor in Google Kubernetes Engine (GKE).
Tuning Google Cloud Armor WAF rules
Preconfigured web application firewall (WAF) rules with dozens of signatures that are compiled from open source industry standards.
|Pre-defined WAF rules to mitigate OWASP Top 10 risks||Out-of-the-box rules from the ModSecurity Core Rule Set to help defend against attacks like cross-site scripting (XSS) and SQL injection.|
|Rich rules language for web application firewall||Create custom rules using any combination of L3–L7 parameters and geolocation to help protect your deployment with a flexible rules language.|
|Visibility and monitoring||Easily monitor all of the metrics associated with your security policies in the Cloud Monitoring dashboard. You can also view suspicious application traffic patterns from Cloud Armor directly in the Security Command Center dashboard.|
|Logging||Get visibility into Cloud Armor decisions as well as the implicated policies and rules on a per-request basis via Cloud Logging.|
|Preview mode||Deploy Cloud Armor rules in preview mode to understand rule efficacy and impact on production traffic before enabling active enforcement.|
|Policy framework with rules||Configure one or more security policies with a hierarchy of rules. Apply a policy at varying levels of granularity to one or many workloads.|
|IP-based and geo-based access control||Filter your incoming traffic based on IPv4 and IPv6 addresses or CIDRs. Identify and enforce access control based on geographic location of incoming traffic.|
|Support for hybrid and multi-cloud deployments||Help defend applications from DDoS or web attacks and enforce Layer 7 security policies whether your application is deployed on Google Cloud or in a hybrid or multi-cloud architecture.|
|Named IP Lists||Allow or deny traffic through a Cloud Armor security policy based on a curated Named IP List (beta).|
|Managed Protection||Standard||Plus (Public Preview)||Notes|
|Billing||Pay as you go||Starting at $3,000/month||-|
|Protected resources||None||Includes first 100 ($30/month for additional protected resources)||Protected resources include backend services and backend buckets|
|Rules||$1 / month||Included in subscription||-|
|Policy||$5 / month||Included in subscription||-|
|Requests||$0.75 / million queries||Included in subscription||-|
|Data processing fee||None||Additional (details)||Active starting at general availability|
If a backend service has a Cloud Armor policy, you can use the user-defined request headers feature with that service without any additional charge for the user-defined request headers feature.
If you pay in a currency other than USD, the prices listed in your currency on Google Cloud SKUs apply.