2

I am wondering how Cloud Armor works. Is DDoS protection enabled by default when I create "empty rule in policy" (allow all trafic)? Or is DDoS protection only part of HTTP(s) Load Balancer?

There is my notes:

  • HTTP(s) Load Balancer have basic DDoS protection by default like SYN floods, IP fragment floods, port exhaustion, etc...
  • Cloud Armor adding extra protection by default just by "empty policy" specification
  • You can do extra filtering base on IP locations etc in Cloud Armor for better protection
  • In every scenarios you need to consider GCS Signed url, WAF, VPC, IAM, internal network etc. for best results - also make secured app on the end (captcha protection for first view etc)
  • If its still not enough, you can use partner solutions

Can You please tell me where I am wrong and what is your best advice how to protect your network in GCP? Thanks.

Lukáš Prudil
  • 33
  • 5
  • `what is your best advice how to protect your network in GCP?` Still the same question in security: protect against what? WHich risk do you want to mitigate? Can you share more? – guillaume blaquiere Jun 19 '20 at 13:19
  • @guillaumeblaquiere I would like to protect our Load Balancer against DDoS. Which for me is some logic what is doing in CloudFare and similar services. For example block access or show captcha when is too many request from single IP (and same agent) we be good start for me. Thanks – Lukáš Prudil Jun 22 '20 at 08:04

1 Answers1

0

Even though the HTTP(S) load balancer offers some of the DDoS mitigation features you're mentioning, DDoS encompasses a lot of different attack vectors, hence there's no feature to "block all DDoS" but to provide protection on some specific common attacks:

When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.

Considering the diverse nature of DDoS attacks, Cloud Armor is meant to complement and expand this protection and to adapt to specific needs on the user's projects.

On the specific regard of setting an "empty policy" and get an extra layer of protection: Even though some products support setting empty policies (like IAM), the Cloud Armor API reference doesn't seem to be accepting it, so this doesn't seem to add any extra protection.

Not sure where you get that but the Cloud Armor "adding an extra filtering [...] for better protection" part seems to be on point: You need to configure policies according to your needs in order to improve security. I think the confusiong might be related to Cloud Armor working thightly coupled with the HTTP(S) load balancer.

Finally on "best advice on how to protect your network", sounds really opinion-based and might need some concrete details to improve it. However, in this context, I think you might benefit from a GCP paper on DDoS that is a bit outdated (2016) but it includes all the products that you're mentioning and based on your comment, might be what you're looking for.

yyyyahir
  • 2,262
  • 1
  • 5
  • 14