Jump to Content
Security & Identity

New WAF capabilities in Cloud Armor for on-prem and cloud workloads

May 13, 2020
Emil Kiner

Senior Product Manager, Cloud Armor

No matter where your applications are deployed, it's important for admins to be able to quickly and easily scale security across the entire infrastructure. Google Cloud Armor is the web-application firewall (WAF) and DDoS mitigation service that helps users defend their web apps and services at Google scale at the edge of Google’s network. 

Last November, we introduced, as beta, new WAF capabilities and increased telemetry through the Security Command Center. Since then we’ve seen rapid adoption from customers looking to deploy Google Cloud-native offerings to defend and maintain the availability of their applications. As a result, we recently made the WAF generally available to all customers, including features such as:

  • Geo-based access control 
  • Pre-configured WAF rules for SQL injection (SQLi) and Cross-Site Scripting (XSS) defense 
  • A custom rules language for custom Layer 7 (L7) filtering policies 
  • Security Command Center integration

"At ATB Financial, security is a top priority,” says Innes Holman, Head of Technology Strategy and Architecture at ATB Financial. “With Google Cloud Armor, we can safely deploy workloads in the cloud. It protects our applications at scale while helping meet ATB's security and compliance requirements."

What’s new

Today, we’re also announcing the general availability of Cloud Armor support for Cloud CDN for origin server protection, as well as support for hybrid deployments, to help protect applications and services whether they’re deployed on Google Cloud, in a hybrid deployment, or in a multi-cloud architecture.


Cloud Armor for Cloud CDN: origin server protection

Web applications and websites often serve both static and dynamic content. While enabling Cloud CDN helps optimize the way static content is served, a client request for dynamic content still needs to reach the application server for processing and response. A CDN can typically scale to serve cached content in the face of an attack, but origin servers frequently need an upstream WAF to prevent unwelcome requests from overloading limited resources. Enterprises frequently have a security and compliance need to apply WAF rules and L7 filtering policies to reduce risk and ensure the availability of the application server. 

To fulfill this need, you can now configure Cloud Armor security policies to help protect backend services with Cloud CDN enabled. When a security policy is attached to a CDN-enabled backend service, Cloud Armor will enforce the policy for all requests destined to the origin server, including cache-misses and dynamic requests bypassing the cache. 

To get started, in your Google Cloud Load Balancing (GCLB) configuration, enable a backend service for Cloud CDN and then expand Advanced Configurations to attach a Cloud Armor security policy:


Cloud Armor for hybrid and multi-cloud deployments

Cloud Armor, in addition to Cloud CDN and the Cloud Load Balancers, can now be used to front applications that are not deployed on Google Cloud. Enterprise workloads are increasingly complex and often are deployed with infrastructure on-prem and in the cloud, or spanning multiple infrastructure providers. Whether such hybrid architectures are a permanent fixture of an enterprise’s operations or part of a migration plan, security teams have a need to apply consistent security controls regardless of where the application is deployed—even internet-facing applications deployed on premise need to be protected from attacks from the internet.


Users can now leverage the full scale and scope of Google’s edge infrastructure, including Cloud Armor, to help protect workloads that are deployed anywhere as long as they are accessible over the public internet. To get started, configure a GCLB backend service to point at an Internet Network Endpoint Group (NEG). Next, attach a Cloud Armor security policy to that backend service and configure one or more rules to filter Layer 7 traffic targeting the protected application.


Next steps

With Google Cloud Armor’s recent releases, Google Cloud customers can now utilize a native enterprise-grade WAF and DDoS mitigation service, leveraging the full scale of Google’s edge network to help defend their applications from DDoS attacks and mitigate risk from targeted application attacks. The support for hybrid deployment and CDN-enabled workloads means you have the option of deploying Google Cloud edge services—including Google Cloud Armor, Cloud CDN, and Cloud Load Balancing—to help protect applications and websites, whether they’re deployed on Google Cloud, on premise, or with other cloud providers, while maintaining a uniform edge and consistent set of policies and access controls. 

To learn more, check out the resources below:

Posted in