Cloud Armor

Google Cloud Armor offers a policy framework and rules language for customizing access to internet-facing applications and deploying defenses against denial of service attacks.

Google Cloud Security Services Cheat Sheet

~ Last updated on : ~ jayendrapatil

Cloud Armor

  • Cloud Armor protects the applications from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).
  • Cloud Armor is offered in two service tiers: Cloud Armor Standard and Cloud Armor Enterprise (previously Managed Protection Plus).
  • Cloud Armor Standard includes:
    • Pay-as-you-go pricing
    • Always-on L3/L4 volumetric and protocol-based DDoS protection
    • Global and regional security policies
    • Preconfigured WAF rules (OWASP Top 10)
  • Cloud Armor Enterprise includes all Standard features plus:
    • Adaptive Protection with full ML-based L7 DDoS detection and suggested rules
    • Advanced network DDoS protection for external network LBs, protocol forwarding, and VMs with public IPs
    • Threat intelligence integration
    • Bot management with reCAPTCHA Enterprise integration
    • DDoS bill protection
    • Named IP lists
  • Cloud Armor supports applications deployed on Google Cloud, in a hybrid deployment, or in a multi-cloud architecture.
  • Cloud Armor is implemented at the edge of Google’s network in Google’s points of presence (PoP).
  • Security policies protect applications running behind a load balancer from DDoS and other web-based attacks
  • Backend service can have only one security policy associated with it
  • Prioritized rules define configurable match conditions, actions (allow or deny) and order in a security policy
  • Cloud Armor provides Preview mode that helps evaluate and preview the rules before going live.
  • Hierarchical Security Policies (GA Oct 2025) facilitate centralized control at the organization and folder level, enabling policy delegation and consistent enforcement across projects.
  • Enhanced WAF inspection (GA Feb 2026) expands request body inspection from 8 KB to 64 KB for all preconfigured WAF rules, improving detection of sophisticated malicious content.
  • Adaptive Protection uses ML to automatically detect and suggest mitigations for L7 DDoS attacks. Full alerts (with suggested rules) require Cloud Armor Enterprise; Standard provides basic alerts only.
  • Rate Limiting supports throttle and ban actions based on per-client request rates.

Cloud Identity-Aware Proxy

  • Identity-Aware Proxy (IAP) allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
  • IAP is based on the BeyondCorp zero-trust security model, establishing a zero-trust perimeter on the public internet for secure remote work without the need for a traditional VPN.
  • IAP intercepts web requests sent to the application, authenticates the user making the request using Google Identity Service, and only lets the requests through if they come from an authorized user. In addition, it can modify the request headers to include information about the authenticated user.
  • IAP helps establish a central authorization layer for applications accessed by HTTPS to use an application-level access control model instead of relying on network-level firewalls.
  • IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, GitHub, Microsoft, SAML, etc.
  • IAP can be configured to use JSON Web Tokens (JWT) as signed headers to make sure that a request to the app is authorized and doesn’t bypass IAP.
  • IAP for Cloud Run (2025) enables IAP directly on Cloud Run services in a single click, with no load balancers required and at no added cost for IAP itself.
  • Google Cloud does not charge for IAP (with some exceptions for programmatic workloads at high scale).
  • Note: The IAP OAuth Admin API was deprecated in January 2025 and shut down in September 2025. Use the IAM API for IAP resource management.

Sensitive Data Protection (formerly Cloud DLP)

  • Cloud Data Loss Prevention (Cloud DLP) has been renamed to Sensitive Data Protection (SDP), now encompassing a broader family of services for discovering, classifying, and protecting sensitive data.
  • Sensitive Data Protection is a fully managed service designed to help discover, classify, and protect the most sensitive data.
  • provides two key features:
    • Classification is the process to inspect the data and know what data we have, how sensitive it is, and the likelihood.
    • De-identification is the process of removing, masking, replacing information from data.
  • uses information types – or infoTypes – to define what it scans like credit card numbers, email addresses, etc.
  • provides various built-in infoType detectors and supports custom ones
  • supports inspection rules to fine-tune scan results using:
    • Exclusion rules decrease the number of findings
    • Hotword rules increase the quantity or change the likelihood value of findings
  • provides likelihood, which indicates how likely it is that a piece of data matches a given infoType like VERY_LIKELY or POSSIBLE, etc.
  • supports Text Classification and Reduction
  • supports Image Classification and Reduction, where the image is handled using its base64 encoded version
  • supports storage classification with scans on data stored in Cloud Storage, BigQuery, Datastore, and Cloud SQL
  • supports scanning of binary, text, image, Microsoft Word, PDF, and Apache Avro files
  • supports Templates to decouple configuration from implementation and manage large-scale rollouts
  • Discovery Service (continuous monitoring) automatically discovers, classifies, and profiles data across the organization, folder, or project, identifying where sensitive and high-risk data reside.
  • Discovery for Vertex AI (2025) extends automated data discovery to Vertex AI datasets and tuning jobs, helping understand data sensitivity in AI training and fine-tuning data.
  • Conversational content inspection (2026) supports inspecting and de-identifying conversational content within ContentItem requests.
  • Sensitive Data Protection is deeply integrated with Security Command Center, feeding data risk insights into the SCC risk engine.
  • Note: Integration with Data Catalog was deprecated (Sept 2025) and discontinued (Jan 2026). SDP discovery results now flow to Security Command Center instead.

Security Command Center – SCC

  • is a Security and risk management platform for Google Cloud
  • helps generate curated insights that provide a unique view of incoming threats and attacks to the assets, which include organization, projects, instances, and applications
  • displays possible security risks, called findings, that are associated with each asset.
  • is available in three tiers: Standard, Premium, and Enterprise (Enterprise is deprecated, shutting down May 21, 2027)
  • SCC Standard Tier (Enhanced, April 2026) is now automatically enabled for eligible customers and includes:
    • AI Protection dashboard with detection of unprotected Gemini inference and guardrail violations
    • 44+ misconfiguration checks based on Google Cloud Security Essentials (GCSE) framework
    • Agentless critical vulnerability scanning
    • Graph-driven risk insights
    • Data Security Posture Management (DSPM) for Vertex AI, BigQuery, and Cloud Storage
    • Compliance Manager with automated monitoring against GCSE
  • SCC Premium Tier adds:
    • Full Security Health Analytics vulnerability scanning
    • Event Threat Detection
    • Container Threat Detection
    • Virtual Machine Threat Detection
    • Cloud Run Threat Detection
    • Attack path simulation and risk scoring
  • provides built-in services:
    • Security Health Analytics provides managed vulnerability assessment scanning that can automatically detect the highest severity vulnerabilities and misconfigurations across assets.
    • Web Security Scanner custom scans provide granular information about application vulnerability findings like outdated libraries, XSS, etc.
    • Sensitive Data Protection (formerly Cloud DLP) discovers, classifies, and protects sensitive data
    • Cloud Armor protects Google Cloud deployments against threats
    • Container Threat Detection can detect the most common container runtime attacks
    • Virtual Machine Threat Detection scans VMs to detect potentially malicious applications such as cryptocurrency mining software, kernel-mode rootkits, and malware
    • Cloud Run Threat Detection continuously monitors Cloud Run resources to detect common runtime attacks
    • Event Threat Detection monitors the organization’s Cloud Logging stream and consumes logs to detect Malware, Cryptomining, brute-force attacks, and identity-based attacks
    • Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses the brand and reporting the unsafe URLs to Google Safe Browsing
    • Continuous Exports, which automatically manage the export of new findings to Pub/Sub.
  • Note: The Anomaly Detection service has been replaced by Event Threat Detection and VM Threat Detection capabilities.
  • Note: Forseti Security (open-source toolkit) has been archived and is no longer maintained. Use SCC built-in services instead.
  • Note: SCC Enterprise tier was deprecated May 21, 2026 and will shut down May 21, 2027. Organizations will automatically move to Premium tier.

DDoS Protection and Mitigation

  • Distributed Denial of Service (DDoS) Protection and Mitigation is a shared responsibility between Google Cloud and the Customer
  • DDoS attack is an attempt to render the service or application unavailable to the end-users using multiple sources
  • DDoS Protection and Mitigation Best Practices
    • Reduce the Attack Surface
      • Isolate and secure network using VPC, subnets, firewall rules, tags and IAM
      • Google provides Anti-spoofing protection and Automatic isolation between virtual networks
    • Isolate Internal Traffic
      • Use private IPs and avoid using Public IPs
      • Use NAT Gateway and Bastion host
      • Use Internal Load Balancer for internal traffic
    • Enable Proxy-based Load Balancing
      • HTTP(S) or SSL proxy load balancer uses GFE that helps mitigate and absorb layer 4 and other attacks
      • Disperse traffic across multiple regions
    • Scale to Absorb the Attack
      • Use GFE for protection
      • Use Anycast-based load balancing to provide single anycast IP to FE
      • Use Autoscaling to scale backend services as per the demand
    • Protection using CDN Offloading
      • CDN acts as a proxy and can help render cache content reducing the load on the origin servers
    • Deploy Cloud Armor for WAF and DDoS Protection
      • Cloud Armor Enterprise provides advanced DDoS protection, adaptive protection, and DDoS bill protection
    • App Engine Deployment
      • A fully multi-tenant system with isolation
    • Google Cloud Storage
      • Use signed URLs to access Google Cloud Storage
    • API Rate Limiting
      • Define rate limiting based on the number of allowed requests
      • API Rate limits are per applied per-project basis
      • Cloud Armor supports rate limiting with throttle and ban actions
    • Resource Quotas
      • Quotas help prevent unforeseen spikes in usage

Access Context Manager

  • Access Context Manager allows organization administrators to define fine-grained, attribute-based access control for projects and resources
  • helps prevent data exfiltration
  • helps reduce the size of the privileged network and move to a model where endpoints do not carry ambient authority based on the network.
  • helps define desired rules and policy but isn’t responsible for policy enforcement. The policy is configured and enforced across various points, such as VPC Service Controls.
  • supports custom organization policies (GA 2025) for creating custom constraints beyond the built-in access levels.
  • supports individual VPC network members in a perimeter and ingress rules to authorize specific VPC networks to access a perimeter.
  • works with Chrome Enterprise Premium (formerly BeyondCorp Enterprise) for context-aware access that integrates device trust, user identity, and location into access decisions.

Model Armor (New – 2025)

  • Model Armor is a Google Cloud service designed to enhance the security and safety of AI applications that use Large Language Models (LLMs).
  • Works by proactively screening LLM prompts and responses, protecting against various risks and ensuring responsible AI practices.
  • Key capabilities:
    • Prompt injection detection — detects and blocks prompt injection and jailbreak attempts
    • Sensitive data protection — detects and prevents exposure of PII, financial info, and credentials in prompts and responses
    • Content safety — filters harmful, toxic, or inappropriate content
    • Policy enforcement — identifies and reports potential policy violations and can actively block actions
  • Protects all LLMs (including Gemini, OpenAI, Anthropic, Llama, and more) via a REST API.
  • Offers no-code in-line protection integrated with Google Cloud services including Gemini Enterprise Agent Platform.
  • Can integrate with Agent Gateway for securing agentic AI workflows (2026).
  • Integrated with Security Command Center for AI security posture visibility.

FIPS 140-2 / 140-3 Validated

  • The NIST developed the Federal Information Processing Standard (FIPS) Publication 140-2 (and its successor FIPS 140-3) as a security standard that sets forth requirements for cryptographic modules, including hardware, software, and/or firmware, for U.S. federal agencies.
  • FIPS 140-2/140-3 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
  • Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto in its production environment.
  • Google’s BoringCrypto module has also received a FIPS 140-3 certificate (#4735), reflecting the transition to the newer standard.
  • Certifications issued under FIPS 140-2 remain valid and acceptable for federal compliance programs until their expiration date.
  • Data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption (or newer).
  • BoringCrypto module that achieved FIPS 140-2/140-3 validation is part of the BoringSSL library.
  • BoringSSL library as a whole is not FIPS validated
  • In order to operate using only FIPS-validated implementations:
    • Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google’s current implementation for this product doesn’t have a FIPS validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module.
    • Google automatically encrypts traffic between VMs that travels between Google data centers using NIST-approved encryption algorithms, but this implementation does not have a FIPS validation certificate. If you require this traffic to be encrypted with a FIPS-validated implementation, you must provide your own.
    • Clients connecting to Google infrastructure with TLS clients must be configured to require use of secure FIPS-compliant algorithms; if the TLS client and GCP’s TLS services agree on an encryption method that is incompatible with FIPS, a non-validated encryption implementation will be used.
    • Applications built and operated on GCP might include their own cryptographic implementations; in order for the data they process to be secured with a FIPS-validated cryptographic module, you must integrate such an implementation yourself.
  • All Google Cloud regions and zones currently support FIPS 140-2 validated encryption.
  • GKE supports FIPS 140-2 validated encryption using BoringCrypto, with nodes configured to use FIPS-compliant cryptographic modules.

Google Cloud Armor – DDoS Protection & WAF Rules

~ Last updated on : ~ jayendrapatil

Google Cloud Armor

🔄 Major Updates (2024-2026)

  • Cloud Armor Enterprise (formerly Managed Protection Plus) is now the premium tier with advanced DDoS, Threat Intelligence, and Adaptive Protection features.
  • Cloud CDN, Media CDN, and Cloud Storage are now supported via edge security policies.
  • Regional internal Application Load Balancer support is now GA (Oct 2024).
  • Hierarchical Security Policies for organization/folder-level policy management are GA (Oct 2025).
  • Enhanced WAF inspection up to 64 KB request body is GA (Feb 2026).
  • Match Condition Builder for visual CEL expression creation (March 2026).
  • Google Cloud Armor helps protect the applications from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).
  • Google Cloud Armor is offered in two service tiers: Cloud Armor Standard and Cloud Armor Enterprise.
  • Cloud Armor provides always-on protection from L3 and L4 volumetric and network protocol-based DDoS attacks for applications behind supported load balancers.
  • Cloud Armor supports applications deployed on Google Cloud, in a hybrid deployment, or in a multi-cloud architecture.
  • Cloud Armor is implemented at the edge of Google’s network in Google’s points of presence (PoP).
  • Cloud Armor security policies can be attached to the following load balancers:
    • Global external Application Load Balancer (HTTP/HTTPS)
    • Classic Application Load Balancer (HTTP/HTTPS)
    • Regional external Application Load Balancer (HTTP/HTTPS)
    • Regional internal Application Load Balancer (HTTP/HTTPS)
    • Global external proxy Network Load Balancer (TCP/SSL)
    • Classic proxy Network Load Balancer (TCP/SSL)
    • External passthrough Network Load Balancer (TCP/UDP)
    • Cloud CDN (via edge security policies)
    • Media CDN (via edge security policies)

Cloud Armor Standard vs Cloud Armor Enterprise

  • Cloud Armor Standard
    • Pay-as-you-go pricing model
    • Always-on L3/L4 volumetric and protocol-based DDoS protection
    • Access to Cloud Armor WAF rule capabilities including preconfigured WAF rules for OWASP Top 10
    • Integration with Cloud CDN and Media CDN
    • Adaptive Protection (alerting only)
  • Cloud Armor Enterprise (formerly Managed Protection Plus)
    • Available in two pricing models: Annual ($3000/month per billing account) and Paygo ($200/month per project)
    • All features of Cloud Armor Standard
    • Bundled Cloud Armor WAF usage (rules, policy, and requests)
    • Third-party named IP address lists
    • Google Threat Intelligence for Cloud Armor
    • Adaptive Protection for L7 endpoints (full capabilities)
    • Advanced network DDoS protection for passthrough endpoints, protocol forwarding, and VMs with public IP addresses
    • DDoS attack visibility telemetry
    • Hierarchical security policies
    • DDoS bill protection (Annual only)
    • DDoS response team services (Annual only, with eligibility requirements)

Security Policies

  • Security policies protect applications by providing Layer 7 filtering and scrubbing incoming requests for common web attacks before traffic reaches load-balanced backend services or backend buckets.
  • Each security policy is made up of a set of rules configurable on attributes from Layer 3 through Layer 7.
  • Rules can filter traffic based on conditions such as IP address, IP range, region code, request headers, and more using Common Expression Language (CEL).
  • A backend service can have only one security policy associated with it.
  • Types of Security Policies:
    • Backend security policies (CLOUD_ARMOR) – filter HTTP requests targeting backend services before they hit origin servers
    • Edge security policies (CLOUD_ARMOR_EDGE) – filter HTTP requests targeting backend services (including Cloud CDN-enabled) and backend buckets (Cloud Storage) before requests are served from cache
    • Network edge security policies – filter traffic at the network edge for external passthrough NLB, protocol forwarding, and VMs with public IPs (Enterprise only)
    • Regional backend security policies – for regional internal Application Load Balancers

Security Policy Rules

  • Prioritized rules define configurable match conditions, actions, and order in a security policy.
  • Rule evaluation order is determined by rule priority, from the lowest number to the highest number.
  • Security policies are made up of rules that allow or prohibit traffic from IP addresses or ranges defined in the rule.
  • Rule Actions: allow, deny (with configurable HTTP status codes), throttle, rate-based ban, redirect.
  • Cloud Armor provides Preview mode that helps evaluate and preview the rules before going live.
  • Match Condition Builder (2026) allows creating complex CEL expressions visually without writing raw code.

Preconfigured WAF Rules

  • Preconfigured rules are complex WAF rules with dozens of signatures compiled from open source industry standards.
  • Help protect web applications from common attacks and mitigate the OWASP Top 10 risks.
  • Rule source is OWASP ModSecurity Core Rule Set (CRS) 4.22.
  • Can inspect up to the first 64 KB of request body content (configurable: 8 KB, 16 KB, 32 KB, 48 KB, or 64 KB) – GA as of Feb 2026.
  • Preconfigured rules can be tuned to disable noisy or unnecessary signatures.
  • Note: XML body parsing is not supported by Cloud Armor preconfigured WAF rules.

Rate Limiting

  • Rate limiting helps protect applications from a large volume of requests that could flood instances and block legitimate users.
  • Supports throttle action (rate limits requests per client) and rate-based ban action (temporarily bans clients exceeding a threshold).
  • Supports granular rate limiting with the ability to combine multiple keys.
  • Rate limiting keys include: IP address, HTTP headers, HTTP cookies, XFF IP, region code, ASN, JA4 fingerprint (GA June 2025).
  • Also supports internal service security policies for service mesh with global server-side rate limiting per client (Preview, July 2025).

Bot Management

  • Cloud Armor integrates natively with reCAPTCHA Enterprise for bot management.
  • Provides automated protection for applications from bots and helps stop fraud inline and at the edge.
  • Based on reCAPTCHA token attributes, Cloud Armor can allow, deny, rate-limit, or redirect incoming requests.
  • Helps detect and mitigate automated threats without impacting legitimate users.

Adaptive Protection

  • Adaptive Protection helps protect applications and services from L7 distributed DDoS attacks by analyzing patterns of traffic to backend services.
  • Detects and alerts on suspected attacks, and generates suggested WAF rules to mitigate such attacks.
  • Can be enabled on a per-security policy basis.
  • Granular models for Adaptive Protection are GA (July 2024), allowing more precise detection.
  • Cloud Armor Standard: alerting only. Cloud Armor Enterprise: full Adaptive Protection capabilities with automatic rule suggestions.
  • Supports automatic deployment of suggested rules.

Hierarchical Security Policies

  • Hierarchical security policies extend Cloud Armor WAF and DDoS protection beyond individual projects (GA October 2025).
  • Can be attached at the organization, folder, or project level.
  • Facilitate centralized control, enhanced consistency, operational efficiency, and effective delegation of security policy management.
  • Require Cloud Armor Enterprise enrollment for all projects that inherit the policy.
  • Support organization-scoped address groups (GA September 2025).

Advanced Network DDoS Protection

  • Available only to Cloud Armor Enterprise subscribers.
  • Provides additional protections for workloads using external passthrough Network Load Balancers, protocol forwarding, or VMs with public IP addresses.
  • Provides always-on attack monitoring and alerting, targeted attack mitigations, and mitigation telemetry.

Google Threat Intelligence

  • Cloud Armor integrates with Google Threat Intelligence to allow or block traffic based on categories of threat intelligence data.
  • Available for global external Application Load Balancers and classic Application Load Balancers.
  • Also supported in globally scoped edge security policies for Media CDN (GA September 2025).
  • Requires Cloud Armor Enterprise.

How Google Cloud Armor Works

Google Cloud Armor

  • Cloud Armor provides always-on DDoS protection against network or protocol-based volumetric DDoS attacks for applications behind supported load balancers.
  • Cloud Armor’s DDoS protection is always-on inline, scaling to the capacity of Google’s global network.
  • Cloud Armor is implemented at the edge of Google’s network in Google’s points of presence (PoP).
  • Cloud Armor security policies help allow or deny access at the Google Cloud edge, as close as possible to the source of incoming traffic.
  • Prevents unwelcome traffic from consuming resources or entering the VPC networks.
  • Backend services have access to security policies to enforce custom Layer 7 filtering policies, including pre-configured WAF rules.
  • Backends to the backend service can be:
    • VM instances in an instance group
    • Zonal network endpoint groups (zonal NEGs)
    • Internet network endpoint groups (internet NEGs)
    • Serverless NEGs
    • Hybrid connectivity NEGs
  • For hybrid or multi-cloud architectures, backends must be internet NEGs or hybrid connectivity NEGs.
  • Cloud Armor also protects serverless NEGs when traffic is routed through a load balancer.

Google Cloud Armor

GCP Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren’t certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users. What should you do?
    1. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
    2. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
    3. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
    4. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs
  2. Your organization is experiencing a sudden spike in traffic to a web application behind a global external Application Load Balancer. Cloud Armor Adaptive Protection has detected a potential L7 DDoS attack and generated a suggested WAF rule. What should you do?
    1. Immediately apply the suggested rule in deny mode.
    2. Review the suggested rule, apply it in preview mode first, verify it targets attack traffic, then enable it.
    3. Disable the application until the attack subsides.
    4. Increase the number of backend instances to absorb the traffic.
  3. You need to protect multiple projects in your organization with a consistent set of Cloud Armor security policies. The security team wants centralized control while allowing individual project teams some flexibility. What should you use?
    1. Duplicate the same security policy in each project manually.
    2. Use a shared VPC with a single security policy.
    3. Use Cloud Armor hierarchical security policies at the organization or folder level.
    4. Create a Terraform module that deploys the same policy to all projects.
  4. You want to protect your Cloud CDN-enabled backend service from malicious requests before they are served from Google’s cache. Which type of Cloud Armor security policy should you use?
    1. Backend security policy (CLOUD_ARMOR)
    2. Edge security policy (CLOUD_ARMOR_EDGE)
    3. Network edge security policy
    4. Regional backend security policy
  5. Your company wants to rate-limit API requests to prevent abuse while allowing legitimate traffic. You need to limit requests per client based on a combination of IP address and a specific HTTP header. What Cloud Armor feature should you use?
    1. Preconfigured WAF rules
    2. Adaptive Protection
    3. Rate limiting with multiple keys (IP + HTTP header)
    4. Bot management with reCAPTCHA Enterprise
  6. You need advanced network DDoS protection for workloads behind an external passthrough Network Load Balancer. What is required?
    1. Cloud Armor Standard tier is sufficient.
    2. Attach a backend security policy to the NLB.
    3. Enroll the project in Cloud Armor Enterprise and enable advanced network DDoS protection for the region.
    4. Use Cloud Armor preconfigured WAF rules on the NLB.

References