Skip to main content

3 new Google Cloud Armor features to protect websites, apps


Google recently released three new features to simplify the way you can use Cloud Armor to help protect your websites and applications from exploit attempts as well as distributed denial-of-service (DDoS) attacks.

With the seemingly never-ending list of threats, keeping your websites and applications secure is a constant challenge. Over the first half of this year, Google has made several critical features and capabilities generally available for Google Cloud Armor including WAF rules, geo-based access controls, a custom rules language, support for CDN Origins servers and support for hybrid deployment scenarios. 

This time around, Google announced: 

  1. The beta release of Cloud Armor Managed Protection Plus, a bundle of products and services that helps protect your internet-facing applications for a predictable monthly subscription fee. 
  2. Google-curated Named IP Lists available as a beta. 
  3. The expansion of Google’s set of pre-configured WAF rules by launching beta rules for Remote File Inclusion (RFI), Local File Inclusion (LFI) and Remote Code Execution (RCE).

Cloud Armor Managed Protection Plus

Cloud Armor Managed Protection Plus leverages the edge of Google’s network, as well as a set of products and services from across Google Cloud, to help protect your applications from DDoS attacks and targeted exploit attempts. With Managed Protection, you can now benefit from the same scale and expertise Google employs to protect your applications and mission critical services from malicious activity on the internet.

Managed Protection is available in two service tiers: Standard and Plus. All existing Cloud Armor users, as well as workloads behind any of Google’s global load balancers, are automatically enrolled in Managed Protection Standard. At this level, you get Google-scale volumetric and protocol-based DDoS protection for any of your globally load balanced applications and services, as well as access to Cloud Armor WAF and layer 7 (L7) filtering capabilities including the pre-configured WAF rules subject to usage based pricing based on rules, policies and requests. 

Cloud Armor Managed Protection Plus which is now in beta is a subscription service with a predictable, enterprise-friendly monthly pricing model that mitigates cost risk from defending against a large L7 DDoS attack. Managed Protection Plus streamlines and bundles in DDoS protection, Cloud Armor WAF and other future value added services. Customers that subscribe to Managed Protection Plus will get access to DDoS and WAF services and curated rule sets for a predictable monthly price based on the size of a deployment. Since Cloud Armor WAF usage is included in Managed Protection Plus, subscribers no longer need to worry about the number of queries processed or the size of an L7 attack. Managed Protection Plus subscribers will also have access to a growing list of advanced capabilities including Named IP Lists and future Google-curated rule sets and services. 

Named IP Lists 

Named IP Lists, now in beta, are Google-curated rule sets containing a pre-configured list of IP addresses that can be referenced and reused across policies and projects. Google is starting with providing Named IP Lists that have source IP ranges for common upstream service providers that many of its users would want to allow through their Cloud Armor security policies.

Customers often have to configure Cloud Armor security policies with a large set of IP ranges to allow traffic from an upstream provider. With Named IP Lists, customers no longer have to self-manage the list of their upstream providers’ IP addresses and instead can rely on Google to curate and keep up to date the list of IPs. 

You can now refer to these Named IP Lists while crafting custom rules. The underlying list of IPs is kept up to date by regular syncs with the third-party service providers’ APIs.

New WAF rules: RFI, LFI, RCE

As part of Google’s effort to expand the scope of the pre-configured WAF rules to all Cloud Armor customers, Google is making RFI, LFI, and RCE rules available as a beta. Collectively, these rules contain industry standard signatures from the ModSecurity core Rule Set to help mitigate the Command Injection class vulnerabilities while enhancing the out-of-the-box coverage for OWASP Top 10 vulnerabilities as well.

Like the other pre-configured WAF rules, the new rules contain dozens of sub-signatures and are tunable on a per-application basis by end users. As usual, a rich set of telemetry including per-request logging, near real-time request volume metrics and correlated security findings are sent to Cloud Logging, Cloud Monitoring and Cloud Security Command Center respectively. 

Google Cloud Armor is helping protect a rapidly growing set of customers’ mission critical workloads while helping support their compliance requirements like PCI DSS for their Google Cloud deployments. With the new capabilities and services, you can simplify your deployments and reduce operational overhead when integrating with upstream partners and service providers.



Popular posts from this blog

Use Vault for Gmail Confidential Messages and Jamboard Files

Google vault will be supporting two new formats in the future, Gmail confidential mode emails & Jamboard files stored in Google Drive. Google Vault gives you a chance to retain, hold, search, and export data to support your organization’s retention and eDiscovery needs. This dispatch includes support for new information types with the goal that you can thoroughly oversee your association's information. What happens when individuals in your association sends confidential messages? Vault can hold, retain, search, and export all confidential mode messages sent by users in your association. Messages are constantly accessible to Vault, notwithstanding when the sender sets a termination date or denies access to private messages. Here’s an example of what will see in Vault when they search for and preview this email sent by . But It’ll not work vise versa. Admins can hold, retain, search and export message headers and s

Zoom’s Work Transformation Summit on Jan. 19: Fresh Approaches for Moving Forward

These past two years have undoubtedly reshaped work. More specifically, these past two years — shuffling between remote, in-person, and hybrid work scenarios — reshaped what employees expect out of their jobs, how they want to work, and what the office means to them.  Organizations are challenged with making big decisions to meet those expectations, and those decisions will dramatically alter how they hire, manage their facilities, buy technology, and maintain productivity. Simply adjusting policies and retooling previous work models won’t do. It takes a comprehensive reimagining. To help organizations navigate this next phase of work, Zoom is hosting our  Work Transformation Summit  on Jan. 19, a free, half-day virtual event designed to provide you and your organization with meaningful strategies, creative approaches, and innovative solutions for redefining work.  Summit attendees will have the opportunity to hear from peers and industry experts on the importance of embracing technolo

Access well-known educational technology tools straight from Google Classroom.

  We're making it simpler for instructors to use popular EdTech products that are most effective for their class right in Google Classroom with a new seamless integration of single sign-on, assigning, and grading. With the help of this feature, teachers can find, assign, and grade interesting content for their classes, and both teachers and students can access their EdTech tools without needing to navigate to other websites or apps or go through a cumbersome login process that requires remembering numerous usernames and passwords. This offers a more simplified experience when using technology to affect learning, in addition to saving instructors and students time. We partnered with 15+ EdTech companies to build custom add-ons, including Kahoot!, Pear Deck, IXL, and Nearpod.  Admins :  In order for educators to use add-ons, district administrators must provide access to them. For further information on how to install the add-ons functionality and specific add-ons for a domain, OU, o