Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Regionally-Scoped Google’s Cloud Armor Security Policies

Regionally-Scoped Google’s Cloud Armor Security Policies

Google announced the general availability of regionally-scoped security policies for Google Cloud Armor, Google's premier DDoS defense and Web Application Firewall (WAF) solution.

A Distributed Denial-of-Service (DDoS) attack is a malicious assault aimed to overwhelm a targeted server, network, or device with an excessive influx of traffic, rendering it unavailable to legitimate users. The sheer volume of traffic effectively chokes the target's resources, causing it to crash or cease functioning altogether. DDoS attacks can be classified into two main categories based on their attack vector:

  1. Network Layer Attacks (L3/L4): These attacks focus on the target system's network layer, disrupting its packet flow and communication flow. Common techniques include SYN floods, UDP floods, and Ping of Death attacks.
  2. Application Layer Attacks (L7): These attacks exploit vulnerabilities in the application layer of the target system, flooding it with requests that consume its processing resources. Examples include HTTP floods, Slowloris attacks, and DNS amplification attacks.

Regionally-scoped Cloud Armor policies go beyond traditional global DDoS protection, providing a layered defense tailored to regional workloads. These policies harness the power of rate limiting and L7 filtering rules to effectively mitigate volumetric DDoS attacks, ensuring that regional web and API applications remain resilient in the face of malicious traffic spikes. Additionally, these policies incorporate comprehensive WAF capabilities, safeguarding against common OWASP Top 10 web application and API vulnerabilities.


Configuration panel for regional scope security policies (reference here)


In today's data-centric world, data sovereignty and compliance are paramount, particularly for businesses operating in regulated industries. Regionally-scoped Cloud Armor policies align seamlessly with data residency requirements, ensuring regional workloads comply with local regulations. With these policies, businesses can confidently deploy their regional web and API applications within specific Google Cloud regions, ensuring that sensitive data remains within the country's borders and adheres to data privacy laws.

Google Cloud Armor's regionally-scoped policies offer cost-effective protection for regional workloads. Standard-tier users can utilize these policies starting at $0.60 per million requests, providing a flexible and affordable solution for protecting web and API applications within specific regions. Managed Protection Plus tier customers benefit from the flexibility to deploy global or regional policies as part of their subscription, catering to their diverse security needs.

As businesses increasingly adopt multi-regional deployments, regionally-scoped Cloud Armor policies provide an approach to securing their web and API workloads. These policies enable businesses to tailor their security posture to each region, ensuring their applications adhere to local regulations while maintaining consistent protection across their global infrastructure.

Other major cloud providers offer comparable solutions to Cloud Armor. Both AWS and Azure separate Cloud Armor's capabilities into two distinct services: AWS has AWS Shield (for L3/L4) and AWS WAF (for L7), Azure DDoS protection is the Azure DDoS protection service, which safeguards against network layer (L3/L4) attacks and Azure WAF protects the application layer (L7).

About the Author

Rate this Article