Google launched its own DDoS protection service this week called Cloud Armor. In a blog post, Google Cloud Platform (GCP) rolled it out with several other new services, designed to boost security. These include a dashboard covering various GCP services, such as Compute Engine and Cloud DataStore, allowing customers to “view and monitor an inventory of your cloud assets, scan storage systems for sensitive data, detect common web vulnerabilities and review access rights to your critical resources.”
As well as providing DDoS protection, Cloud Armor is also an application defense service. It is based on the same technologies and global infrastructure of Google’s other products, including Mail, YouTube and Search.
Global HTTP(S) Load Balancing offers built-in defense against Infrastructure DDoS attacks. In order to activate Cloud Armor, users just need to configure load balancing.
Pricing is set at $5 per Cloud Armor policy per month; with a $1 per rule per policy per month charge. Incoming requests are priced at $0.75 per million HTTP(S) requests. Users can access a free trial. IP Blacklist/whitelist for HTTP(S) Load Balancing is offered free of charge for the Beta release. Normal load balancing pricing applies to users’ load balanced traffic.
Cloud Armor works with Cloud HTTP(S) Load Balancing, provides IPv4 and IPv6 whitelisting/blacklisting, defends against application-aware attacks, including cross-site scripting (XSS) and SQL injection (SQLi), and supplies geography-based access control.
Google’s “Rich Rules Language” enable the creation of customized defenses. Any combination of Layer 3 to Layer 7 parameters and gelocation to protect deployment can be used to protect against multivector attacks. Predefined rules can also be deployed to mitigate cross-site scripting (XSS) and SQL injection defense. Alpha features of the rules language are currently only available to certain select customers, but the company says they “will be more generally available soon”.
Cloud Armor also offers visibility into which traffic has been blocked and what is allowed through. Traffic data is sent to Stackdriver Logging as each incoming request comes through, along with the action taken on that request by the Cloud Armor rule. Enable Preview mode lets the user understand service access patterns before fully enabling policies, guaranteeing that the right traffic sources are being blocked and/or let through. IP-based Access Control enforces access control based on IPv4 and IPv6 addresses or CIDRs.
Detailed How-to Guide instructions on how to configure Cloud Armor’s security policies are available on the Google Cloud website.