Introduction

So you've built your app, it's humming along nicely on Google Cloud, and maybe you've even taken my advice and started injecting some serverless magic into those creaky legacy systems. But with all that awesomeness comes a new worry: locking down your systems to reject unwanted traffic. Security can seem like this huge, scary beast, especially when it comes to cloud environments. But fear not, for Cloud Armor is here to help, and it's way easier to get to grips with than you might imagine. I asked Gemini to describe it and this is what it responded with:

Think of it like a bouncer for your cloud apps, but without the velvet rope and questionable fashion choices. Instead we get a powerful, scalable way to protect your applications and services from the riff-raff of the internet.

What is this Cloud Armor thing, anyway?

Cloud Armor is essentially a web application firewall (WAF) that sits in front of your Google Cloud Load Balancer. It acts as a shield, inspecting incoming traffic and blocking malicious requests based on rules you define. A security checkpoint for your website or API if you will. It can help fend off common attacks like:

• DDoS Attacks: Floods of traffic designed to overwhelm your services.

• SQL Injection: Nasty attempts to mess with your databases.

• Cross-Site Scripting (XSS): Sneaky code injections that can hijack user sessions.

And that's just scratching the surface. Cloud Armor is also surprisingly good at stopping bots in their tracks!

Getting Started

Honestly, the hardest part about setting up Cloud Armor might be deciding what to name your security policies. Here's a super quick rundown:

1. Enable the Cloud Armor API: Yep, you need to turn it on first. A few clicks in the Google Cloud console, and you're good to go. Or if you’re like me, a quick gcloud command or two is all you need!

2. Create a Security Policy: This is where you define the rules. You can start with pre-configured rules to block common threats, or get fancy and create your own custom rules.

3. Attach the Policy to your Load Balancer: Tell Cloud Armor which load balancer to protect. Select which backend service you want to protect, or multiple if that’s how you roll, and click apply!

4. Test and Monitor: Make sure your policy is working as expected and keep an eye on the logs to see what Cloud Armor is up to.

It really is that simple. Google Cloud's interface is pretty intuitive, and there's a ton of great documentation if you get stuck. As well, the command line tooling is super powerful allowing you to automate your configurations and policies!

In my case, I wanted to only allow certain paths of my API to receieve traffic through the Load Balancer, so I whitelisted those, and anything that didn’t match just gets hit with a 404.

Key Pointers for Cloud Armor those getting started with WAFs or Cloud Armor

Here are a few things to keep in mind when you're dipping your toes into the Cloud Armor waters:

• Start with the Defaults: Google provides a solid set of pre-configured rules. Use them! They're a great starting point, and you can always tweak them later.

• Learn the Rules Language: Cloud Armor uses a custom rules language that might look a bit intimidating at first. But trust me, it's not rocket science. Spend a little time understanding the basics, and you'll be writing your own rules in no time.

• Logging is Your Friend: Cloud Armor logs everything. Use those logs to see what's being blocked, fine-tune your rules, and identify potential threats.

• Don't Set and Forget: Security is an ongoing process. Regularly review your policies and update them as needed.

Automated bots and scripts are out there

I wanted to solidify this post with a real-world example. When building RocketFlag and connecting the domain I bought to the backend api for the first time, within a few hours I had hits to the service trying all kinds of common attacks of simple weaknesses to expose keys, code, secrets, all kinds of stuff.

Consider the below screenshot which was a week’s worth of hits to my API.

Can you see when I decided to implement Cloud Armor? This was for my regional based service in the EU and since I didn’t have any customers there the traffic just didn’t make sense. Upon closer inspection and review of the logs, I noticed that the app traffic was just hits to my API which were of course returning 404’s, but there were attempts at trying to call for files like environment variables, attempting to hit wp-admin routes and so on. I’m not even storing those things, or using WordPress, but the attacks were relentless.

Upon implementing the WAF, the traffic in Belgium (the region where the EU service is deployed) dropped off completely. I applied the rules to the load balancer so automatically all the requests dropped from other regions too and now the hits to the service are much better, representing actual traffic, which I can make informed decisions on.

The Cost of Doing Business (But Not Breaking the Bank)

Alright, let's talk money. Like any cloud service, Cloud Armor has costs associated with it. But the good news is that it's generally quite affordable, especially when you consider the potential cost of a security breach. Here's a quick breakdown:

• Security Policies: You pay a monthly fee for each policy you create.

• Rules: Each rule within a policy also has a small monthly fee.

• Requests: You're charged per million requests inspected by Cloud Armor.

• Outbound Data Transfer: Data transferred as a result of Cloud Armor is free!

It's important to note that these costs can vary depending on your usage and the complexity of your rules. But for most small to medium-sized applications, Cloud Armor is a very cost-effective way to boost your security posture. For example, if we just create a policy with the default rule, and apply it to our backend service, that will only cost us $6/month. Then, for every million requests to our service, it’s only $0.75, so $6.75/month for the first million. If your app is smaller than that, it’s only $6/month. A small price to pay for your peace of mind! I recommend you check out the Cloud Armor pricing page for a full breakdown and some examples of different scenarios. There's even a calculator where you can plug in your own numbers to help estimate your costs.

Conclusion

Security shouldn't be an afterthought. With tools like Cloud Armor, Google makes it easy (and relatively inexpensive) to protect your cloud applications from a wide range of threats. So, don't let the fear of complex security setups hold you back. Dive in, experiment, and lock down your cloud with confidence. You've built something awesome; now go forth and protect it!