Google Cloud DDoS Protection and Mitigation

• A Denial of Service (DoS) attack is an attempt to render the service or application unavailable to the end-users.
• With Distributed Denial of Service (DDoS) attacks, the attackers use multiple resources (often a large number of compromised hosts/instances) to orchestrate large-scale attacks against targets.
• Successfully thwarting and handling DDoS attacks is a shared responsibility between Google Cloud and you.
• DDoS defense involves deploying detection systems, implementing barriers, and being able to absorb attacks by scaling in order to prevent attackers from overwhelming or disabling access to the services or applications.
• Google Cloud Armor is Google Cloud’s primary DDoS protection and Web Application Firewall (WAF) service, providing always-on Layer 3/4 DDoS protection and configurable Layer 7 application security.

Google Cloud Armor

• Google Cloud Armor is the managed DDoS protection and WAF service that defends applications behind Google Cloud load balancers.
• Provides always-on Layer 3 and Layer 4 (L3/L4) volumetric and network protocol-based DDoS attack protection.
• Integrates with Global external Application Load Balancer, Classic Application Load Balancer, Regional external Application Load Balancer, External passthrough Network Load Balancer, Global external proxy Network Load Balancer, Cloud CDN, and Media CDN.
• Offers Web Application Firewall (WAF) with preconfigured rules for OWASP Top 10 protection.
• Supports IP allowlists/denylists, geo-based access control, custom rules using a flexible rules language, and request header-based filtering.

Cloud Armor Standard vs. Cloud Armor Enterprise

• Cloud Armor Standard
  • Pay-as-you-go pricing model (per policy, per rule, per request).
  • Always-on L3/L4 volumetric and network protocol-based DDoS attack protection.
  • Access to WAF capabilities including preconfigured WAF rules for OWASP Top 10.
  • Automatically enrolled for all projects with external Application Load Balancer or external proxy Network Load Balancer.
• Cloud Armor Enterprise (formerly Managed Protection Plus)
  • Available in two pricing models: Annual ($3,000/month per billing account) and Paygo ($200/month per project).
  • Includes all Standard features plus:
    • Bundled Cloud Armor WAF usage
    • Third-party named IP address lists
    • Google Threat Intelligence for Cloud Armor
    • Adaptive Protection for Layer 7 endpoints
    • Advanced network DDoS protection for passthrough endpoints (external passthrough NLB, protocol forwarding, VMs with public IPs)
    • DDoS attack visibility telemetry
    • Hierarchical security policies
  • Annual tier additionally includes DDoS bill protection and DDoS response team access (requires DDoS posture review for subscriptions after Sept 3, 2024).

Adaptive Protection

• Uses machine learning to detect and mitigate Layer 7 (application-layer) DDoS attacks such as HTTP floods.
• Monitors traffic patterns and automatically recommends new Cloud Armor rules when anomalous activity is detected.
• Can automatically deploy suggested rules to block detected attacks.
• Provides alerting in Cloud Armor Standard; full mitigation capabilities require Cloud Armor Enterprise.
• Best suited for volumetric L7 protection.

Advanced Network DDoS Protection

• Provides always-on attack detection and mitigation for volumetric network and protocol DDoS attacks (SYN floods, UDP floods, DNS reflection, NTP amplification).
• Protects workloads using external passthrough Network Load Balancers, protocol forwarding, and VMs with public IP addresses.
• Standard network DDoS protection is always enabled; advanced protection adds deeper inspection and mitigation for these passthrough endpoints.
• Requires Cloud Armor Enterprise enrollment.

Rate Limiting

• Cloud Armor rate limiting restricts requests from clients within specified time intervals.
• Supports two actions:
  • Throttle – Enforces a maximum request limit per client or across all clients.
  • Rate-based ban – Temporarily bans clients that exceed a user-configured threshold for a configured period.
• Rate limiting keys include IP address, HTTP headers, XFF IP, and combinations of multiple keys.
• Helps mitigate brute-force attacks, credential stuffing, and application-layer DDoS.

Bot Management

• Cloud Armor integrates with reCAPTCHA Enterprise for bot detection and management at the network edge.
• Capabilities include:
  • Manual challenge (reCAPTCHA challenge page) – Redirects suspicious users for reCAPTCHA assessment.
  • Frictionless assessment – Filters traffic based on reCAPTCHA token scores without user interaction.
• Cloud Armor deciphers reCAPTCHA tokens inline with no additional request/response to the reCAPTCHA service.
• Based on token attributes, Cloud Armor can allow, deny, rate-limit, or redirect requests.

Google Threat Intelligence

• Provides curated threat intelligence feeds including:
  • Tor exit nodes – Known Tor exit node IP addresses.
  • Known malicious IPs – IP addresses associated with malicious activity.
  • Search engines – IP addresses of legitimate search engine crawlers.
  • VPN providers – Low-reputation VPN provider IPs.
  • Public cloud IP ranges – IP ranges from major cloud providers.
• Available with Cloud Armor Enterprise.

Hierarchical Security Policies

• Allow security policies to be configured at the organization, folder, and project levels.
• Enables centralized security teams to enforce baseline WAF and DDoS protection across multiple projects.
• Higher-level policies are evaluated before project-level policies.
• Requires Cloud Armor Enterprise enrollment.
• Generally available as of 2025.

DDoS Protection and Mitigation Best Practices

Reduce the Surface Attack

• Provision an isolated and secure piece using Google Cloud VPC.
• Isolate and secure using subnetworks and networks, firewall rules, tags, and IAM.
• Open access for only required ports and protocols using firewall rules and/or protocol forwarding.
• Anti-spoofing protection for the private network (IP addresses) is provided by default.
• Google Cloud automatically provides isolation between virtual networks.

Isolate the Internal Traffic from the External World

• Deploy instances without public IPs unless necessary.
• Set up a NAT gateway or SSH bastion to limit the number of instances that are exposed to the internet.
• Deploy Internal Load Balancing for the internal client instances accessing internally deployed services to avoid exposure to the external world.

DDoS Protection using Proxy-based Load Balancing

• With HTTP(S) Load Balancing or SSL proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and other attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
• HTTP(S) Load Balancing with instances in multiple regions can help disperse the attack across instances around the globe.
• Attach Cloud Armor security policies to backend services behind the load balancer for Layer 7 DDoS protection and WAF capabilities.

Scale to Absorb the Attack

• Google Frontend Infrastructure – GFE
  • With Google Global Cloud Load Balancing, the GFE terminates user traffic, automatically scales to absorb certain types of attacks (e.g., SYN floods) before they reach the compute instances.
• Anycast-based Load Balancing
  • HTTP(S) Load Balancing and SSL proxy Load Balancing enable a single anycast IP to front-end the deployed backend instances in all regions.
  • User traffic is directed to the closest backend with capacity.
  • In the event of a DDoS attack, it increases the surface area to absorb this attack by moving traffic to instances with available capacity in any region where backends are deployed.
• Autoscaling
  • A sufficient number of backend instances should be provisioned and autoscaling configured to handle spikes in traffic.
  • In the event of a sudden traffic spike, the load balancing proxy layer will distribute the traffic across all the backends with available capacity.
  • In parallel, the autoscaler ramps up the backends inline with traffic that needs to be handled.

DDoS Protection with CDN Offloading

• Cloud CDN acts as a proxy between the clients and the origin servers.
• For cacheable content, Cloud CDN caches and serves this content from points-of-presence (POPs) closer to the users as opposed to sending them to backend servers (instances).
• In the event of DDoS attack for cacheable content, the requests are sent to POPs all over the globe as opposed to the origin servers, thereby providing a larger set of locations to absorb the attack.
• Media CDN can also be used for streaming and large-scale content delivery with built-in DDoS protection.

Deploy Cloud Armor Security Policies

• Use Cloud Armor security policies to define rules for allowing, denying, throttling, or redirecting traffic.
• Enable Adaptive Protection for ML-based L7 DDoS detection and automatic rule recommendations.
• Configure rate limiting rules to protect against volumetric application-layer attacks and brute-force attempts.
• Use preconfigured WAF rules to protect against OWASP Top 10 attacks (SQL injection, XSS, etc.).
• Leverage Google Threat Intelligence feeds to block known malicious IPs and Tor exit nodes.
• Third-party DDoS protection solutions can also be deployed from Google Cloud Marketplace.

App Engine Deployment

• App Engine is designed to be a fully multi-tenant system and implements a number of safeguards intended to ensure that a single bad application will not impact the performance or availability of other applications.
• App Engine sits behind the GFE which mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
• Use App Engine firewall rules to specify IP addresses/ranges to block from accessing the application(s).
• Note: The legacy dos.yaml configuration was deprecated and shut down in April 2022. DoS rules were auto-migrated to App Engine Firewall rules.

Google Cloud Storage

• Use Signed URLs to control access if users do not need a Google account to access Google Cloud Storage resources.

API Rate-limiting and Resource Quotas

• API rate limits define the number of requests that can be made to the Google Compute Engine API.
• Compute Engine enforces quotas on resource usage to protect the community of Google Cloud users by preventing unforeseen spikes in usage.

GCP Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• GCP services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• GCP exam questions are not updated to keep up the pace with GCP updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

Question 1: Your company hosts a web application on Google Cloud behind a Global External Application Load Balancer. You need to protect the application from Layer 7 DDoS attacks with minimal manual intervention. What should you do?

1. Enable Cloud Armor Standard and create IP denylist rules manually
2. Subscribe to Cloud Armor Enterprise and enable Adaptive Protection
3. Deploy a third-party DDoS solution from Google Cloud Marketplace
4. Configure autoscaling to absorb all attack traffic

Answer: B

Cloud Armor Enterprise with Adaptive Protection uses machine learning to automatically detect L7 DDoS attacks and recommend (or auto-deploy) mitigation rules, requiring minimal manual intervention.

Question 2: You need to protect VMs with public IP addresses and external passthrough Network Load Balancers from volumetric network DDoS attacks. Which Cloud Armor feature should you enable?

1. Adaptive Protection
2. Rate Limiting
3. Advanced Network DDoS Protection
4. Preconfigured WAF rules

Answer: C

Advanced Network DDoS Protection specifically defends passthrough endpoints (external passthrough NLB, protocol forwarding, VMs with public IPs) against volumetric network and protocol DDoS attacks. It requires Cloud Armor Enterprise.

Question 3: Your organization wants to enforce baseline DDoS protection and WAF rules across all projects in a specific folder. What Cloud Armor feature should you use?

1. Rate limiting rules at the project level
2. Hierarchical security policies
3. Google Threat Intelligence named IP lists
4. Network edge security policies

Answer: B

Hierarchical security policies allow configuring Cloud Armor WAF and DDoS protection at the organization, folder, and project level, enabling centralized enforcement across multiple projects.

Question 4: You want to distinguish between human users and automated bots accessing your application behind Cloud Armor. Which feature combination should you use?

1. Rate limiting with IP-based throttling
2. Cloud Armor bot management with reCAPTCHA Enterprise integration
3. Google Threat Intelligence Tor exit node blocking
4. Preconfigured WAF rules for OWASP Top 10

Answer: B

Cloud Armor bot management integrates with reCAPTCHA Enterprise to assess incoming requests using advanced risk analysis, distinguishing between human users and automated clients with frictionless assessment or manual challenges.

Question 5: Which of the following are included in Cloud Armor Standard without requiring Cloud Armor Enterprise? (Choose TWO)

1. Always-on L3/L4 DDoS protection for load-balanced endpoints
2. Adaptive Protection with automatic rule deployment
3. Preconfigured WAF rules for OWASP Top 10
4. Advanced Network DDoS Protection for passthrough endpoints
5. DDoS bill protection credits

Answer: A, C

Cloud Armor Standard includes always-on L3/L4 DDoS protection and access to preconfigured WAF rules. Adaptive Protection (full), Advanced Network DDoS Protection, and DDoS bill protection require Cloud Armor Enterprise.

References

• Google Cloud Armor Overview
• Best Practices for Cloud Armor
• Cloud Armor Enterprise Overview
• Adaptive Protection Overview
• Advanced Network DDoS Protection
• Rate Limiting Overview
• Bot Management
• How to protect your site from DDoS attacks with Cloud Networking