Overview of reCAPTCHA Enterprise for WAF and Google Cloud Armor integration

Google Cloud Armor is the built-in web application firewall (WAF) and distributed denial-of-service (DDoS) mitigation service offered by Google Cloud. Google Cloud Armor helps you protect your Google Cloud websites and services from multiple types of threats, including DDoS attacks and application attacks, such as cross-site scripting (XSS) and SQL injection (SQLi). reCAPTCHA Enterprise for WAF is a solution that is deployed as a service to enable WAFs to help you protect your site from spam and abuse. reCAPTCHA Enterprise for WAF uses advanced risk analysis techniques to distinguish between legitimate and fraudulent requests.

The reCAPTCHA Enterprise for WAF and Google Cloud Armor integration provides bot detection at the WAF layer to detect, stop, or manage automated activity accessing your websites or services.

Integration workflow

In this integration, reCAPTCHA Enterprise for WAF and Google Cloud Armor interact in two ways:

  • Google Cloud Armor interacts with reCAPTCHA Enterprise for WAF to serve reCAPTCHA challenge pages to the end users.

    In this interaction, the following events take place:

    1. A user accesses your web site.
    2. Google Cloud Armor redirects the traffic based on your configured security policy rules.
    3. reCAPTCHA Enterprise for WAF attaches an exemption cookie to the browser of the user who passes the reCAPTCHA assessment.
    4. Google Cloud Armor allows access to requests that have valid exemption cookies.

    The following diagram is a simplified graphical representation of how Google Cloud Armor interacts with reCAPTCHA Enterprise for WAF to serve reCAPTCHA challenges to end users:

  • Google Cloud Armor interacts with reCAPTCHA Enterprise for WAF to enforce frictionless assessment.

    In this interaction, the following events take place:

    1. The end user triggers an HTML action protected by reCAPTCHA Enterprise for WAF.
    2. reCAPTCHA Enterprise for WAF issues an encrypted token that contains the reCAPTCHA Enterprise's assessment and the associated attributes.
    3. The reCAPTCHA token is attached to the follow-up requests.
    4. Google Cloud Armor deciphers this token. Based on the token attributes, Google Cloud Armor allows, blocks, or redirects the incoming requests, depending on the configured security rules.

    The following diagram is a simplified graphical representation of how Google Cloud Armor interacts with reCAPTCHA Enterprise for WAF to enforce frictionless assessment:

When to use reCAPTCHA Enterprise for WAF and Google Cloud Armor integration

Use this integration when you need to deploy effective strategies that detect, stop, or manage automated malicious activity that is attempting to access your websites or services.

Benefits

The reCAPTCHA Enterprise for WAF and Google Cloud Armor integration provides the following benefits:

  • Reduces the integration complexity with reCAPTCHA Enterprise for WAF because you don't need to modify your protected applications or application servers to fetch or enforce reCAPTCHA Enterprise's assessments.
  • Mitigates bot traffic at the edge of Google's network, before the traffic reaches the protected application.

What's next

  • Learn about the various features offered by the reCAPTCHA Enterprise for WAF and Google Cloud Armor integration.