Protecting Web Apps using Cloud Armor
Protecting Web Apps using Cloud Armor
Cloud Armor is an enterprise-grade DDoS service and web application firewall (WAF) designed to protect your web applications from denial-of-service and other web attacks. Cloud Armor protects web apps deployed on GCP, on-prem, or other third-party cloud providers. It leverages Google’s extensive experience in protecting their key services such as Google Search, YouTube, and Gmail, to deliver inbuilt defense against L3 and L4 DDoS attacks at the Google scale. It has also been equipped to mitigate against OWASP’s top 10 risks. It is seamlessly integrated with the global load balancing infrastructure, and it offers top-notch security for Cloud CDN-enabled workloads. How exactly does this service protect your web apps?
Cloud Armor has no fixed procedure for handling threats. It has a machine learning system, which you train on your HTTP-fronted web apps to automatically detect and combat high volume L7 DDoS attacks. In this way, Cloud Armor’s protection is adaptive. For common web app vulnerabilities and OWASP’s top 10 risks, Cloud Armor has pre-configured WAF rules to protect your applications. This service is also integrated with the reCAPTCHA enterprise to provide automated protection against bots.
You can also filter incoming requests by geography. This service will also grant you access to real-time telemetry in form of logs, sent directly to cloud logging. These contain Cloud Armor’s decisions per request basis.
Cloud Armor for Cloud CDN
Cloud Armor for Cloud CDN initiates protection from the origin server level. Backend services with Cloud CDN enabled can be protected by Cloud Armor. Cloud CDN plays an important role in catching data at the edge of Google’s network to avail content to users quickly and at a cheaper serving cost. This means that Cloud CDN will handle serving requests for web apps’ static content during an attack, but for dynamic content, requests have to go to the origin server. To prevent unwelcomed requests from overwhelming the origin server’s resources, you need a WAF service coupled with L7 filtering policies to minimize risk and prevent DDoS.
This is where Cloud Armor comes in, you can configure its security policies to protect backend services with Cloud CDN enabled. These policies will be enforced for every request destined to the origin server, including static content that misses the cache. It can inspect and filter requests after SSL termination. All of this can be enabled in your Google Cloud Load Balancing configuration.
As a large enterprise, it is impossible to have all your web apps on a single public cloud or VPC. It is common to have services spread across multiple clouds. In addition, some services bear local data processing, data sovereignty, and regional compliance needs, which prevent them from completely moving to the cloud. Despite having services in a hybrid cloud and multiple clouds, security needs to be consistent across all deployments.
You can now leverage the capabilities of Cloud Armor to defend and maintain the availability of all your deployments anywhere provided they are accessible over the public internet. Just like Cloud Armor for CDN, this is also configurable on the Google Cloud Load Balancing backend. You can now safely deploy web apps on-prem, on the cloud, and hybrid cloud.
You may also like…
Google Cloud Managed Service for Prometheus (2021)
Prometheus utilizes powerful tools such as Grafana to provide observability across Kubernetes deployments. As you scale up, it can become challenging to configure and…
Cloud IDS (New GCP Feature 2021)
Cloud Intrusion Detection System (IDS) is Google Cloud’s solution for detecting network-based threats at both the network and application layers. This includes…
Cloud Logging and Monitoring
Cloud-Protokollierung und -Überwachung ist der Prozess der Speicherung von Protokollen über alle Cloud-Produkte hinweg mit der Möglichkeit der Suche, Überwachung und Alarmierung auf der Grundlage...
Nimm Kontakt auf
Bist du bereit, dein nächstes Projekt mit uns zu starten? Rufe uns an oder sende uns eine E-Mail und wir werden uns so schnell wie möglich bei dir melden!