Announcing general availability of Cloud Armor for regional application load balancers
Shane Wang
Product Manager, Google Cloud
Anil Nandigam
Product Marketing Lead, Google Cloud Security
Google Cloud Armor provides our customers with advanced DDoS defense and Web Application Firewall (WAF) capabilities. Today, we’re excited to announce the general availability of Cloud Armor for Regional External Application Load Balancers, which can help create regionally-scoped Cloud Armor security policies.
In these policies, rules are evaluated and enforced in a designated Google Cloud region to protect web and API workloads from DDoS attacks and other Layer 7 attacks. Cloud Armor recently helped mitigate the largest DDoS attack known to date, and we are continually expanding Cloud Armor’s capabilities to help our customers protect their environment from DDoS and web attacks.
What is our new regionally-scoped security policy?
Built to safeguard Google Cloud's global load balancing infrastructure, Cloud Armor now extends its support for the Regional External Application Load Balancer. Implemented as a managed service on the open-source Envoy proxy, it can provide robust network protection while conforming to data residency compliance requirements. We understand the needs of our customers for a fully regionalized cloud architecture in accordance with data sovereignty requirements, and this new capability will allow our users to set up regional web applications using regional external backends and regionally-scoped Cloud Armor security policies.
Regional scope configuration for security policies
Why is it important?
Regional scoping can help you craft more resilient, robust security policies in three key use-cases: web application and API protection, data sovereignty and compliance, and cost optimization.
Web application and API protection for regional workloads: With rate limiting and L7 filtering rules, Cloud Armor fortifies regional workloads against volumetric DDoS attacks and common OWASP Top 10 web application and API vulnerabilities. Supporting Network Service Standard Tier along with Regional Application Load Balancers, the new regional security policy from Cloud Armor ensures services using peering, ISP, or transit networks in the region get the same web application and API protection for their regional workloads.
Data sovereignty and compliance: In today's globalized world, data sovereignty and compliance have become paramount. Many regions across the world have strict regulations about where and how data should be stored, processed, and transmitted. Organizations in regulated industries need to address compliance regulations that require their company’s data to remain within certain geographical boundaries. With Cloud Armor's regional security policy, businesses can be confident that their data and applications are secure, all while adhering to regional compliance mandates. For example, if your web application has German data residency requirements, you can now configure your regional external load balancers and Cloud Armor regional policies using one of our German regions, either europe-west3 or europe-west10.
Cost optimization: Regionally-scoped Cloud Armor is available in both Standard and Managed Protection Plus tiers. Managed Protection Plus tier customers are able deploy either global or regional, or both variants of Cloud Armor policies as part of their subscription. Standard tier customers can also use regionally-scoped security policies starting at $0.60 per million requests. For more details about regionally-scoped policy requests pricing refer to Cloud Armor pricing page.
What's next
Cloud Armor’s regionally-scoped security policy advances our commitment to offering regional solutions for our customers running internet-facing applications across many global regions with compliance requirements. You can learn more about our recent WAF enhancements in User IP, Rate Limiting, Adaptive Protection, and how Cloud Armor is helping to protect the global front end for internet-facing applications as part of Google Cloud Cross-Cloud Network. Check out our documentation to get started with Cloud Armor.