Cloud Armor
A WAF that attaches to resources such as a Load Balancer or to compute with a public IP. Currently usable on :
GCP Doc
- Global external Application Load Balancer (HTTP/HTTPS)
- Classic Application Load Balancer (HTTP/HTTPS)
- Regional external Application Load Balancer (HTTP/HTTPS)
- Global external proxy Network Load Balancer (TCP/SSL)
- Classic proxy Network Load Balancer (TCP/SSL)
- External passthrough Network Load Balancer (TCP/UDP)
- Protocol forwarding
- VMs with public IP addresses
8K FTW
How can this be fixed? Cloud Armor is a valuable security tool, but it is important that customers are aware of the 8 KB size limitation so that they can take steps to further secure their applications. Customers can configure a custom Cloud Armor rule to block HTTP requests where the request body is larger than 8192 bytes.
int(request.headers["content-length"]) >= 8192
If auditing an application protected by a WAF, check this. It’s nearly mandatory to verify since the WAF’s OWASP rule freshness is technically Google’s responsibility, worth confirming it’s actually up to date.
Cloud Interconnect
A service that bridges an on-prem (or otherwise hosted) infrastructure with an external one, or connects the cloud to another hosted cloud service. This is routing and network interconnection at its core.
Typical reasons to use it :
- An ongoing migration (cloud to cloud, self-hosted to cloud)
- The company is large enough that infrastructure solutions aren’t unified
- Very specific constraints apply
- Or it’s simply a mess that needs bridging
Network interconnection (routing) is worth digging into further.
Cloud NAT
Rather than setting up a proxy to NAT machines manually, Cloud NAT handles it automatically.
Each machine receives the NAT’s IP along with a port range of its own. Multiple NAT IPs can be configured per Gateway.
No port forwarding involved, this prevents external clients from accessing internal IPs directly.
Cloud Load Balancing
Fairly self-explanatory : load distribution across the platform. It’s a reverse proxy, offered in 2 categories :
- Global
- Regional