Solved: Cloud armor without load balancer

Martin6 · 03-20-2023 06:40 AM

Hi.

Trying to find out if it's possible to use Cloud Armor without a load balancer? Within the documentation it states "protect applications and services using Network Load Balancer, Protocol Forwarding or VMs with Public IP".

I'm using one VM with a public IP. If I create a Cloud Armor policy I can only select a load balancer as a target.

I'd rather not create a load balancer if I don't have to!

Thanks

kolban

Howdy Martin,

I did a search in Google's database of previous support tickets and found one that was an exact match:

---- Support Ticket response ---

I check your use case with our internal team, as of now there is no way to configure cloud Armor without backend service. but there is a feature request[1] for this with our Internal team, Although we do not have any ETA for the same.

- You can also use third party DDOS protection tools like CloudFlare
- You can configure only one instance behind Load Balancer if you want to use Clod Armor.

Please check the link[2] for best way to enable DDoS protection on many individual GCP compute instances without load balancing. (Note : This is public link not owned by google, We can 100% rely on this)

Also, Please follow the Best Practices for DDoS Protection and Mitigation on Google Cloud Platform.[3]

Please let me know If this information is helpful, If you need any further assistance on this, Please do not hesitate to ask.

=======
[1] https://issuetracker.google.com/217773056
[2] https://serverfault.com/questions/1090312/best-way-to-enable-ddos-protection-on-many-individual-gcp-... (Note : This is public link not owned by google, We can 100% rely on this)
[3] https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf

View solution in original post

kolban

Howdy Martin,

I did a search in Google's database of previous support tickets and found one that was an exact match:

---- Support Ticket response ---

I check your use case with our internal team, as of now there is no way to configure cloud Armor without backend service. but there is a feature request[1] for this with our Internal team, Although we do not have any ETA for the same.

- You can also use third party DDOS protection tools like CloudFlare
- You can configure only one instance behind Load Balancer if you want to use Clod Armor.

Please check the link[2] for best way to enable DDoS protection on many individual GCP compute instances without load balancing. (Note : This is public link not owned by google, We can 100% rely on this)

Also, Please follow the Best Practices for DDoS Protection and Mitigation on Google Cloud Platform.[3]

Please let me know If this information is helpful, If you need any further assistance on this, Please do not hesitate to ask.

=======
[1] https://issuetracker.google.com/217773056
[2] https://serverfault.com/questions/1090312/best-way-to-enable-ddos-protection-on-many-individual-gcp-... (Note : This is public link not owned by google, We can 100% rely on this)
[3] https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf

Martin6

Thanks for the reply, I've added my vote to to that feature request. In the meantime, I'll start looking at setting up a load balancer!

nishith

Hello,

My question is reverse to this. Can we use only GCP LB for DDoS Protection without using Cloud Armor?