Are you currently experiencing an attack?

Are you currently experiencing an attack?

Google Cloud Armor: How to convert it into a full web security solution

During the first quarter of 2018, Google launched Cloud Armor, a new distributed-denial-of-service (DDoS) and application defense service. Cloud Armor leverages the same technologies that Google uses to protect its Internet-facing applications (such as YouTube and Google Search) from DDoS attacks. With this release, Google made years of work on security defense engineering available to customers, who can now start using it as part of their GCP platform.

A framework, not a WAF

Cloud Armor is a security framework, not a security solution. It does some things very well, but it doesn’t do everything that is needed for robust web security.

In this post, we explore Cloud Armor’s capabilities and limitations, the scope of its coverage, and how Reblaze converts Cloud Armor into a full-featured web security solution.

Cloud Armor basics

Cloud Armor is deployed at the edge of Google’s network to protect its customers from various attacks.

Currently, Cloud Armor is in the beta phase, with initial support for global HTTP(S) Load Balancing and Kubernetes Engine. The key features of the beta release are:

  • IP-based access control (for accepting or blocking traffic based on IP and/or CIDR)
  • Preview mode (for testing security rules without enforcing them)
  • Logging support with Stackdriver Service Monitoring
  • Geo-based access control
  • Rich rules language (currently in alpha)

These are described more fully below. First, let’s discuss Cloud Armor’s capabilities as a web security platform.

Not a Complete Security Solution

Cloud Armor can handle volumetric DDoS attacks, and can enforce simple rules such as IP or geolocation blacklisting/whitelisting. To receive protection beyond this, users must create additional rulesets themselves. This requires users to analyze traffic logs and create complicated rulesets, which are comprehensive enough to cover the current Internet threat environment. It also requires users to be continually vigilant and keep their rulesets updated as traffic patterns change. This all requires a level of security expertise (not to mention the time commitment) that is not available within most organizations. Manual ruleset management is not realistic.

Reblaze converts Cloud Armor into an automated, comprehensive web security platform

Reblaze Technologies is one of Cloud Armor’s security partners, and together, Reblaze and Cloud Armor form a complete web security solution for GCP customers. Although Reblaze can be used as an independent solution, it also integrates seamlessly with Google Cloud Platform. For GCP users, Reblaze is an excellent “threat detection engine” for Cloud Armor — Reblaze detects hostile traffic, and Cloud Armor blocks it at the network edges.

Reblaze offers a rich set of security features that help customers secure their applications. These include:

  • Full management by Reblaze personnel. GPC users don’t need to create their own rules for Cloud Armor, or keep them updated — this is done for them automatically.
  • Industry-leading threat detection built on machine learning and deep behavioral analysis, based on the 3.5 billion http(s) requests processed and analyzed by Reblaze each day.
  • A 360-degree view platform with rich dashboards, allowing customers to see a full view (from granular to full overview) of their traffic and how Reblaze protects their applications.

Try it for yourself, directly from your Console

Reblaze is deployable in minutes from Google Cloud Platform Marketplace. Just click on this link and then choose “Launch on Compute Engine.”

If you have any questions, or would like to see a demo, we’re happy to help. Just send an email to, or fill out the form at We’ll be in touch soon.

Addendum: Cloud Armor in depth

Here are more in-depth descriptions of Cloud Armor and its current features.


Cloud Armor’s central pillar is the Cloud Armor security policy framework. This framework allows for the definition of network policies, which are combinations of security rules that are evaluated for incoming traffic. Each rule has a match condition, and an associated action: to block, allow, or preview (take no action on) the traffic. If any of the incoming traffic matches the rule conditions, the action is taken.

Each security policy can have multiple rules, and each rule has a priority number. The rules are evaluated based on these numbers — the lower the priority number, the higher the priority it gets. As soon as any priority-matched rule is matched for incoming traffic, the other rules are not evaluated. The same security policy can be applied to multiple backend services, but a backend service can only reference one security policy.

IP-Based Access Control

IP-based access control allows security administrators to accept traffic only from trusted sources and/or reject incoming traffic from blacklisted sources. It supports both IPv4 and IPv6 addresses, as well as CIDRs.

Example use case: an organization hosts a public application for its employees that should only be accessible from its worldwide office locations. In such a case, the security administrator can build a security policy with multiple rules, where each security rule only allows incoming traffic from its worldwide office IP addresses or CIDR ranges. In these instances, traffic originating from any other locations will be automatically blocked. Not only can the security administrator block the traffic based on the IPs, but they can also set the error code (403, 404, or 502, for example) as part of the response to those requests.

Preview Mode

Preview mode is helpful when there is uncertainty about the implication of enabling a rule. When a rule is enabled in preview mode, the actions are not enforced, but the effects of the rule are visible in the Stackdriver logs. Based on the logs, a security administrator can better understand the implications of defined rules before going live and enforcing them.

Logging Support

Logging plays a vital role in helping security administrators identify the rules that should be enabled for their applications. To this end, Stackdriver Logging support is included in Cloud Armor’s features; all HTTP(S) Load Balancing logs are registered with additional information about the security policy name, matched rules, and associated actions that help administrators see the applicability of the rules and how they secure their applications.

Geo-Based Access Control (Beta)

Along with IP-based access control, GCP has also released support for geolocation-based access controls for incoming traffic. This enables security administrators to allow and block incoming traffic from specific geographic locations, e.g. countries in which their companies don’t operate, or from which they witness a high number of attacks.

Rich Rules Language (Alpha)

One of Cloud Armor’s most anticipated features, currently in the alpha stage, is its rich rules language. This will provide security functionality to Cloud Armor by allowing administrators to define specific attack patterns. It will provide complete coverage by extending security from Layer 3 to Layer 7, and will protect applications from various application security exploits, such as SQL injection and cross-site scripting. You can request access to this feature here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.