Faster web performance and improved web protection for load balancing

This tutorial outlines the value of adding Cloud CDN and Google Cloud Armor to an existing external HTTP(S) load balancer deployment. It includes basic instructions for enabling both Cloud CDN and Google Cloud Armor with an external HTTP(S) load balancer.

Improving web performance with Cloud CDN

Using the external HTTP(S) load balancer already improves web performance by setting up HTTP(S) connections on Google's global edge closer to the requesting client and by negotiating connections using modern protocols such as QUIC, HTTP/2, and TLS 1.3 to reduce the number of round trips and enhance throughput. Further, by using persistent connections to your origin, Google Cloud reduces the overhead of each client connection. Google's edge locations are connected to our global private backbone network, which allows Google Cloud to optimize routing and reduce latency between the client, Google's edge, and your backends. You can further improve performance and reduce your serving costs by enabling Cloud CDN as part of your external HTTP(S) load balancer deployment.

What is Cloud CDN?

Cloud CDN (Content Delivery Network) uses Google's globally distributed edge points of presence to cache copies of load balanced content close to your users.

How Cloud CDN can improve web performance

There are multiple ways that Cloud CDN improves performance.

Offloads and scales your backend infrastructure by reducing requests

A request served from the Cloud CDN cache means that the load balancer doesn't need to send the request to backend infrastructure for a static element such as an image, video, JavaScript, or stylesheet. This not only reduces load during normal operation but allows Google edge infrastructure to absorb spikes in requests without increasing the load on your backend serving infrastructure. This ensures backend infrastructure is focused on generating user-specific responses such as dynamic HTML for interactive web experiences.

Serves static assets from the edge

Because Google's global edge sends cached requests, the response times to client requests can be reduced. Static elements of your web experience such as images, videos, JavaScript, and stylesheets can be delivered right away without needing to forward the request to the backend systems and wait for a response and data transfer.

Reduces your egress and backend infrastructure costs

By using Cloud CDN with your external HTTP(S) load balancer, you reduce your backend infrastructure costs due to reduced traffic to the backend. Additionally, you can reduce the number of cycles to deliver static content because it is sent from the Google edge. Cloud CDN traffic is billed at a lower egress cost, further controlling costs.

Enabling Cloud CDN for your external HTTP(S) load balancer

You can enable Cloud CDN for an existing external HTTP(S) load balancer or when setting up a new load balancer.

Enabling Cloud CDN during external HTTP(S) load balancer setup

During backend configuration, select the Enable Cloud CDN checkbox. For details, see the Cloud CDN how-to guides.

Enabling Cloud CDN for an existing external HTTP(S) load balancer

In an existing external HTTP(S) load balancer configuration, in the Load Balancer details screen, you can click Edit to modify your load balancer.

Then, in the Backend Configuration section, you can select the Enable Cloud CDN checkbox. For detailed instructions, including gcloud commands, see the Cloud CDN how-to guides.

Improving web protection with Google Cloud Armor

Using the external HTTP(S) load balancer already provides a measure of web protection by setting up HTTP(S) connections on Google's global edge, offloading your backend infrastructure from needing to handle this process. By enabling Google Cloud Armor as part of your external HTTP(S) load balancer you have increased visibility and control against infrastructure and application attacks.

What is Google Cloud Armor?

Google Cloud Armor provides DDoS and application layer defense working in conjunction with external HTTP(S) load balancers. It provides visibility into attacks and allows you to deploy pre-configured and custom rules to mitigate attacks against your web applications and services. Like the external HTTP(S) load balancer, Google Cloud Armor is delivered at the edge of Google's network, helping to defend against infrastructure and application attacks close to their source.

How Google Cloud Armor can improve web protection

There are multiple ways that Google Cloud Armor improves protection.

Automatically blocks most volumetric DDoS attacks

Google Cloud Armor works with the external HTTP(S) load balancer to automatically block network protocol and volumetric DDoS attacks such as protocol floods (SYN, TCP, HTTP, and ICMP) and amplification attacks (NTP, UDP, DNS). Google Cloud Armor is based on technologies developed originally to defend Google's own web services such as search, gmail, and maps.

Has pre-configured WAF rules to help detect and mitigate common application attacks

Google Cloud Armor provides a library of pre-configured web application firewall (WAF) rules that help detect and optionally help mitigate common web attacks such as SQL injection, cross-site scripting, and command injection attacks against your web infrastructure.

Detects and blocks by geographical source and IP addresses or IP ranges

Google Cloud Armor leverages Google's Geo-IP database to identify the geographical region of incoming requests destined for your web infrastructure and allows you to block traffic based on two-character country codes. For example, an online commerce site that does not ship outside of a given country can block requests from common sources of attack traffic. Additionally, Google Cloud Armor allows quick blocking of specific IP addresses or ranges of IP addresses making malicious requests.

Provides visibility to monitor and mitigate application layer HTTP(S) attacks

Google Cloud Armor also provides a custom-rules language that lets you match complex patterns from incoming requests using a wide variety of HTTP(S) semantics. This includes headers, cookies, URLs, query string elements, user agent patterns, and HTTP methods.

Enabling Google Cloud Armor for your external HTTP(S) load balancer

Security policies drive Google Cloud Armor configuration. These policies enable built-in rules and support custom rules for protection. To deploy Google Cloud Armor, you must create a security policy, add rules, and then attach this policy to one or more HTTP(S) Load Balancing backend services. Each rule specifies the parameters to detect in traffic, the action to take if the traffic matches these parameters, and a priority value that determines the position of the rule in the policy hierarchy.

Creating a Google Cloud Armor security policy

At a high level, these are the steps for configuring Google Cloud Armor security policies to enable rules that allow or deny traffic to external HTTP(S) load balancer.

  1. Create a Google Cloud Armor security policy in the Network Security - Google Cloud Armor screen.
  2. Add rules to the policy based on IP lists, custom expressions, or pre-configured WAF rules such as SQL injection or Cross-site scripting.
  3. Attach the Google Cloud Armor security policy to a backend service of the external HTTP(S) load balancer for which you want to control access.
  4. Update the Google Cloud Armor security policy as needed.

For the detailed instructions, see the Google Cloud Armor how-to guides.

Next steps