🛡️

Google Cloud Armor

SecurityEdge WAF and DDoS Protection

Google Cloud Armor is a security service that blocks malicious requests and large-scale attacks in front of public services. You attach WAF rules, geographic policies, and rate limits directly to Cloud Load Balancing.

▶Architecture Diagram

🔗 Relationship

🌍Internet

⚖️Cloud LB

🛡️Cloud Armor

📏WAF Rules

🌊DDoS Filter

🤖Bot Control

🚀Backend Service

Dashed line animations indicate the flow direction of data or requests

Why do you need it?

Once a service is public, normal users are mixed with scanners and attack traffic. If those requests reach the backend unchanged, both cost and outage risk grow quickly.

Why did this approach emerge?

Teams once operated separate firewalls and WAF appliances on their own. As cloud services consolidated traffic behind global front doors, applying managed L7 security at that same edge became the natural model.

How does it work inside?

Cloud Armor works as a security policy attached to Cloud Load Balancing. Each request is evaluated against WAF rules, IP or geography conditions, and rate limits before any allowed request is sent to the backend service.

What is it often confused with?

Cloud Armor and Cloud IAM both restrict access, but Cloud Armor filters public HTTP(S) traffic at the edge while Cloud IAM controls API and resource permissions for identities. Use Cloud Armor when the problem is internet request patterns; use IAM when the problem is what users or service accounts are allowed to do.

Commonly Compared Concepts

🔐

Cloud IAM

Cloud Access Management

Both restrict access, but Cloud Armor blocks internet request patterns at the edge while Cloud IAM controls permissions for users and service accounts.

When should you use it?

Well suited to protecting public APIs, web applications, and multi-region services. It does not replace service-to-service authentication or identity-based authorization inside the backend.

OWASP protectionL7 DDoS mitigationGeo restrictionsBot control