Cloud Armor - DDoS protection - pricing

Szyszy · 02-06-2023 10:38 PM

Hi

I'm pretty new to this topic, not sure if the answer is obvious.

I'm preparing some social page, wanted to host on GCP. But ofc I'm afraid about pay as you go elements.

Let's say there's some malicious user and they would start spiking my services (I wanted to use Google API Gateway but I'm not sure if Cloud Armor is compatible with that), dos attack starts, or even worse, more users and we have ddos.

I see Cloud Armor is having prices per request and TiB egressed.

If that's the attack and it is blocked by Cloud Armor, do I pay for each of those requests made by attacker? Do I pay for blocked IP requests? How could I avoid going bankrupt if there's someone evil that want to kill my app - with website public APIs?

Marvin_Lucero

Hi @Szyszy

To address what you've mentioned, "Google API Gateway but I'm not sure if Cloud Armor is compatible with that", there is a reference to putting the API Gateway behind an external load balancer.

But ideally, for APIs such as API Gateway, it should work with Cloud Armor as it is an included feature of WAAP.

To answer your question if you are going to pay for the requests made by the attacker or for every blocked IP requests, it is included under the Plus Tier subscription, then for Standard Tier, it will depend on WAF requests, rules, and security policies.

One best practice that I can recommend to avoid being charged too much is to enable the rules one at a time and then monitor blocked traffic. For example, you have set ten rules, enable six of them then test, measure, and monitor how effective your configuration is. For other best practices, you check this documentation.