On Wednesday, Google introduced a new DDoS protection service called Cloud Armor. In a blog post from Google Cloud Platform (GCP), the company rolled it out alongside several new security services, including new VPC Service Controls in Google Cloud Platform which further protects data in big data services and API-based storage.
Along with providing DDoS protection, Cloud Armor is also an application defense service that is based on the same technologies and global infrastructure that the company uses to protect its other products, such as Gmail, YouTube and Search.
Cloud Armor works with Cloud HTTP(S) Load Balancing, provides IPv4 and IPv6 whitelisting/blacklisting, defends against application-aware attacks, including cross-site scripting (XSS) and SQL injection (SQLi), and supplies geography-based access control. In order to activate the service, users simply need to configure load balancing.
Global HTTP(S) Load Balancing offers built-in defense against Infrastructure DDoS attacks. According to GCP, “Cloud Load Balancing can put your resources behind a single anycast IP and scale your resources up or down with intelligent Autoscaling. Cloud Load Balancing comes in a variety of flavors and is integrated with Google Cloud CDN for optimal application and content delivery.”
Google’s “Rich Rules Language” and global enforcement engine underpin Cloud Armor, enabling the creation of customized defenses. Any combination of Layer 3 to Layer 7 parameters and gelocation to protect deployment can be used to protect against multivector attacks. Predefined rules can also be used to protect against cross-site scripting (XSS) and SQL injection defense. Currently, only selected customers have access to Alpha features for a limited test period, but the company says they “will be more generally available soon”.
IP-based Access Control enforces access control based on IPv4 and IPv6 addresses or CIDRs.
Cloud Armor also offers visibility into which traffic has been blocked and what is allowed through. Traffic data is sent to Stackdriver Logging as each incoming request comes through, along with the action taken on that request by the Cloud Armor rule. Enable Preview mode lets the user understand service access patterns before fully enabling policies, guaranteeing that the right traffic sources are being blocked and/or let through.
Google quotes Matt Hite, network engineer at Evernote. “Cloud Armor is a great example of how Google continues to innovate on its pervasive defense-in-depth security strategy, providing a rich layer of security control that can be managed at the network edge.”
Pricing is set at $5 per Cloud Armor policy per month; with a $1 per rule per policy per month charge. Incoming requests are priced at $0.75 per million HTTP(S) requests. A free trial is available.