Searching in

Enter search term to find items
to navigate, to select, and to close

Securing Cloud Applications with Google Cloud Armor: Enterprise WAF and DDoS Protection

Posted on by Nithin Mohan TK 2 min read
Google Cloud Armor provides enterprise-grade DDoS protection and web application firewall (WAF) capabilities that integrate with Cloud Load Balancing.

Cloud Armor Defense Architecture

Cloud Armor Architecture

WAF Rule Execution Flow

WAF Rule Execution

Terraform Configuration

resource "google_compute_security_policy" "armor_policy" {
  name        = "cloud-armor-policy"
  description = "Enterprise Cloud Armor security policy"

  rule {
    action   = "deny(403)"
    priority = 100
    match {
      expr {
        expression = "evaluatePreconfiguredExpr('sqli-v33-stable')"
      }
    }
    description = "SQL injection protection"
  }

  rule {
    action   = "deny(403)"
    priority = 200
    match {
      expr {
        expression = "origin.region_code in ['CN', 'RU', 'KP']"
      }
    }
    description = "Geo-blocking"
  }

  rule {
    action   = "throttle"
    priority = 300
    match {
      expr {
        expression = "request.path.startsWith('/api/')"
      }
    }
    rate_limit_options {
      conform_action = "allow"
      exceed_action  = "deny(429)"
      enforce_on_key = "IP"
      rate_limit_threshold {
        count        = 100
        interval_sec = 60
      }
    }
  }

  rule {
    action   = "allow"
    priority = 2147483647
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "Default allow"
  }
}

Python SDK

from google.cloud import compute_v1

def create_security_policy(project_id, policy_name):
    client = compute_v1.SecurityPoliciesClient()
    
    policy = compute_v1.SecurityPolicy()
    policy.name = policy_name
    
    rule1 = compute_v1.SecurityPolicyRule()
    rule1.priority = 100
    rule1.action = "deny(403)"
    rule1.match = compute_v1.SecurityPolicyRuleMatcher(
        expr=compute_v1.Expr(
            expression="evaluatePreconfiguredExpr('sqli-v33-stable')"
        )
    )
    
    policy.rules = [rule1]
    
    request = compute_v1.InsertSecurityPolicyRequest(
        project=project_id,
        security_policy_resource=policy
    )
    
    operation = client.insert(request=request)
    operation.result()
    
    print(f"Created: {policy_name}")

CEL Expressions

# Block suspicious query parameters
expression = """
has(request.query) && (
  request.query.contains('SELECT') ||
  request.query.contains('

Best Practices

  • Layer defenses: Combine IP, geo, WAF, rate limit rules
  • Use preconfigured rules: Google-maintained OWASP protection
  • Implement rate limiting: Protect APIs from abuse
  • Monitor Cloud Logging: Analyze blocked requests
  • Adaptive protection: ML-based anomaly detection (Plus tier)

References

Discover more from C4: Container, Code, Cloud & Context

Subscribe to get the latest posts sent to your email.

Posted in Cloud Computing, Google Cloud (GCP)

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.