Expanding Cloud Armor DDoS protection to Network Load Balancing and VMs with Public IP addresses
Lihi Shadmi
Product Manager
Over the past few years, Google has observed that distributed denial-of-service (DDoS) attacks are increasing in frequency and growing exponentially in size. Google Cloud customers have been using Cloud Armor and leveraging the scale and capacity of Google’s network edge to protect their environment from some of the largest DDoS attacks ever seen.
We are excited to announce the general availability of Cloud Armor advanced network DDoS protection, which expands Cloud Armor’s DDoS protection capabilities to workloads using external network load balancers, protocol forwarding, and VMs with Public IP addresses. These workloads are used by a diverse set of customers, including gaming (such as UDP-based traffic) and telecommunications (such as VOIP traffic), and support a wide set of protocols, including custom implementations.
Cloud Armor advanced network DDoS protection provides customers with always-on attack detection and mitigation to defend against volumetric network and protocol DDoS attacks, such as SYN flood, UDP flood, DNS reflection, and NTP amplification attacks. Google Cloud customers can now easily activate advanced network DDoS protection and safeguard themselves from the damaging outcomes of DDoS attacks, including an increase in operational costs, a loss in business continuity, and a degraded user experience.
The Cloud Armor team has been building this new capability in close collaboration with our customers, who use Cloud Armor’s advanced network DDoS protection in their production environments.
“Cloud Armor’s advanced network DDoS protection is easy-to-deploy and manage. The automatic detection and mitigation mechanism reduces operational overhead,” said Shay Ben-Haroche, platform group manager, Symantec Zero Trust Network Access and Web Isolation, Broadcom.
Customers using advanced network DDoS protection are also eligible for bill protection and support from the DDoS response team. Bill protection provides credits for future Google Cloud usage for some increases in billing that are a result of a verified DDoS attack. The DDoS response team includes 24/7 help and potential custom mitigations from DDoS attacks from the same engineering team that protects all Google services.
Advanced DDoS protection - How it works
Cloud Armor’s advanced network DDoS protection operates at Google’s network edge to detect and mitigate attacks far upstream of the customer's infrastructure. It monitors a variety of signals for signs of attack including monitoring customers’ workloads health for early signs of distress, and monitoring incoming traffic for anomalies.
First, Cloud Armor observes early signs of workload distress, and quickly alerts the customer that an attack is detected. This always-on monitoring mechanism results in timely and accurate attack detection, without adding latency to the traffic flow.
Next, Cloud Armor analyzes incoming traffic to identify the attack signatures. Cloud Armor then automatically deploys the mitigation at the edge of the network, while allowing legitimate traffic to pass through. The incoming DDoS attacks are stopped at the edge before reaching customers’ workloads. During attack mitigation, the traffic flow is unchanged — no additional hops are added — and therefore there is no latency impact.
Once Cloud Armor confirms the attack has ended, it will disable the mitigations. The whole process, from detection to mitigation, takes mere seconds and doesn’t require user intervention.
Comprehensive attack visibility
Cloud Armor’s advanced network DDoS protection provides attack visibility into past and ongoing DDoS attacks by recording telemetry in Cloud Logging. Customers can view these logs under the ‘network_security_policy’ resource in Logs Explorer, and use them for analysis and alerting.
Advanced network DDoS protection generates three types of event logs when mitigating DDoS attacks:
‘Mitigation Started’ - Detection of a potential attack and the start of mitigation.
‘Mitigation Ongoing’ - Updates about ongoing mitigation every 5 minutes for as long as the attack is active.
‘Mitigation Ended’ - Conclusion of the attack and the end of mitigation.
Logging events include information on attack classification and traffic volumes.
Customers can also apply Cloud Armor’s advanced network DDoS protection in preview mode. In preview mode, the proposed mitigation will not be automatically enforced. Customers will receive logging and telemetry about detected attacks and suggested mitigations. This provides flexibility for customers to test the mitigation effectiveness before enabling it in the production environment. Since the security policy is configured per-region, the customer can enable or disable preview mode per-region.
Easy to set up
To apply advanced network DDoS protection, you need to enroll your project into Managed Protection Plus. Advanced network DDoS protection is configured on a per-region basis, enabling the protection for all the workloads in that region.
To enable advanced network DDoS protection, please navigate to the Cloud Armor console and press ‘create security policy’. For details, see Configure advanced network DDoS protection.
Try one month of Cloud Armor Managed Protection Plus
To get you started with advanced Network DDoS protection, we are pleased to offer a one month evaluation period for Managed Protection Plus. You can turn on Managed Protection Plus and try it for 30 days.
Google Cloud is offering flexible cancellation terms for the first 30 days after activating the annual subscription for Cloud Armor Managed Protection Plus. To cancel within the evaluation period, please contact Billing Support.
Get started
Don’t wait for the next DDoS attack to disrupt your services. Enable Cloud Armor advanced network DDoS protection today to protect your workloads. Check out this guide to learn more or configure using the Google Cloud console.