Understanding Google Cloud Armor’s new WAF capabilities

Protecting applications exposed to the internet is an increasingly difficult job. Since we launched Google Cloud Armor last December, it has helped enterprises protect themselves and their users with a native solution that protects big and small applications from Distributed Denial of Service (DDoS) and targeted web attacks with custom security policies enforced at the edge of Google’s network, at Google-scale.

Last week, we announced new web-application firewall (WAF) capabilities, now available in beta. With this release, Google Cloud Armor is expanding the scope of protection it provides for securing your applications and other workloads from DDoS and targeted web-based attacks. It can also help you meet compliance requirements from internal security policies as well as external regulatory requirements. Specifically, Google Cloud Armor now lets you create security policies or expand existing ones to enforce:

  • Geo-based access controls
  • Pre-configured WAF rules, and 
  • Custom L7 filtering policies using custom rules

Visibility into the usage and effectiveness of security controls as well as the protected applications is essential to security operations. Google Cloud Armor now sends findings to Cloud Security Command Center (Cloud SCC) to alert defenders of potential Layer 7 attacks. This is in addition to the rich set of telemetry that it already sends to Stackdriver Logging and Stackdriver Monitoring.

Google Cloud Armor overview

Google Cloud Armor mitigates DDoS attacks and protects applications from the web’s most common attacks while allowing you to create custom L7 filtering policies to enforce granular access controls on public-facing applications and websites. 

Google Cloud Armor is deployed at the edge of Google’s network and tightly coupled with our global load balancing infrastructure. As a result, Google Cloud Armor helps you solve your most pressing application security and compliance needs at any scale, blocking unwelcome or malicious traffic at the edge of the network, far upstream of your VPCs or other infrastructure.

cloud armor ddos.png

What’s new

The following capabilities are now available in beta.

Custom rules 
To ensure the safe operation and availability of protected applications, security controls need to be context-sensitive and tailored to the unique needs of individual applications. With Cloud Armor custom rules, you can now create rules with advanced match conditions to filter incoming traffic across a variety of attributes and parameters from Layers 3 through 7. To get started, you can find the full language specification and sample expressions in the security policy rules language reference.

Custom rules can be as simple or complex as dictated by the security and business needs of your applications. Take, for example:

custom rules.png

This is an example rule that blocks incoming traffic that matches each of the conditions:

  • From the United States, 
  • with a user agent that contains the phrase “Bad Bot,” 
  • and contains a cookie named “discount” with a value of “ab1d8732”

Geo-based access controls
There are times when you may need to limit access to an application to certain countries—whether it is for regulatory compliance, copyright licensing, or another business need. With Google Cloud Armor, you can now configure security policies to create allow lists or deny lists based on the country code of the client request attempting to reach your application. This ensures that you will only receive traffic from and serve content to users in specific countries. You can also use source geography in combination with other attributes in Cloud Armor’s custom rules language to apply fine-grained control over what can be accessed, by whom, and from where.

Geo-based access controls.png

Pre-configured WAF rules (SQLi & XSS)
Google Cloud Armor now includes pre-configured WAF rules to protect applications from the web’s most common attack (e.g. OWASP Top 10 Risks), making it easier for you to configure and operate a web application firewall and meet your compliance and security needs. Today, Cloud Armor WAF rules protect you from the web’s most common attack types—SQL Injection and Cross-Site Scripting—with more pre-configured WAF rules on the way. 

We built these pre-configured WAF rules by implementing the signatures and sub-signatures described in the open source ModSecurity Core Rule Set for SQLi and XSS. In the WAF rule tuning guide, we also describe how to finetune the preconfigured rules to optimize on sensitivity levels and customize them on a per protected-application basis. Over time, we’ll introduce additional rules from the ModSecurity CRS to make it easier to protect your application from the OWASP Top 10 risks and beyond.

Pre-configured WAF rules.png

Surfacing findings in the Cloud Security Command Center
Google Cloud Armor now automatically sends findings to Cloud SCC to alert you to suspicious Layer 7 traffic patterns. Organizations with Cloud SCC enabled will now receive real-time notifications of two events:

  1. Allowed Traffic Spike: A sudden increase in the volume of Layer 7 requests being allowed through an existing Google Cloud Armor security policy on a per backend service basis.
  2. Increasing Deny Ratio: A sudden increase in the ratio of traffic that is being denied compared to the total traffic targeting a particular backend service.
cloud scc.png

Together these findings can alert application owners and incident responders of potential Layer 7 attacks while they are still ramping up. With early notice, incident responders can begin to investigate and triage earlier, deploying mitigating controls sooner to protect against an attack before it impacts the availability of your application. 

Next steps

With the beta release of this rich set of WAF capabilities, Google Cloud Armor now enables enterprises of any size to easily protect your public facing applications while satisfying your risk and compliance needs. In addition, the new Google Cloud Armor telemetry in Cloud SCC helps to accelerate incidence detection and response to ensure the security and availability of mission-critical applications. Finally, the combination of Google Cloud Armor with Google Cloud Load Balancing lets you deploy to and customize Google’s global edge infrastructure to protect your applications against the web’s most common attacks, provide granular Layer 7 access controls, and defend against volumetric, protocol and application-level DDoS attacks.

Google Cloud Armor WAF capabilities are publically available. To get started, navigate to Network Security -> Cloud Armor in the Google Cloud Console. 

Learn more: