Security
Cloud Armor
WAF and DDoS protection for GCP workloads
AWS equivalent
AWS Shield + WAF
AWS → GCP: Key Differences
- ▸
Cloud Armor ≈ AWS Shield Standard + AWS WAF combined.
- ▸
Integrated at the Google network edge — DDoS traffic is absorbed before it reaches your infrastructure.
- ▸
Adaptive Protection: ML-based automatic detection and suggested rules for L7 DDoS attacks.
Key Concepts to Know
- 1
Attached to HTTP(S) Load Balancer backend services.
- 2
Pre-configured rules: OWASP Top 10 (SQLi, XSS) — enable with one click.
- 3
Custom rules: IP allowlist/blocklist, geo-blocking, rate limiting.
- 4
Adaptive Protection: automatically detects and suggests rules for ongoing L7 attacks.
- 5
Preview mode: test rules without enforcing — log what WOULD have been blocked.
DCE Interview Tips
- ★
For Thai e-commerce or banking: 'Cloud Armor provides WAF and DDoS protection at the Google edge — before traffic even reaches your application.'
- ★
'Geo-blocking lets you restrict your application to accept traffic only from Thailand — common for Thai financial services regulators.'
Common Gotchas
- !
Cloud Armor only works with HTTP(S) Load Balancer.
- !
Rate limiting in Cloud Armor is per-client-IP — not per user session.