How does Cloud Armor rule evaluation differ from AWS WAF?

Cloud Armor evaluates rules by priority (lower numbers first), similar to AWS WAF. However, Cloud Armor uses a different expression language for custom rules and supports both allow and deny actions directly in rule definitions. Cloud Armor also includes built-in adaptive protection that uses machine learning to detect and mitigate Layer 7 DDoS attacks, which is a feature AWS provides separately through Shield Advanced. Rate limiting in Cloud Armor supports both throttle (return 429) and ban (block for a duration) actions.

What is the difference between Cloud Armor standard and managed protection plus?

Cloud Armor standard tier includes custom rules, IP allowlists/denylists, and geo-based access control with pay-per-policy pricing ($5/month per policy, $1/month per rule). Managed protection plus adds preconfigured WAF rules (OWASP CRS), adaptive protection (ML-based DDoS detection), and DDoS response support for $3,000/month per organization plus per-resource fees. Most production workloads that handle sensitive data or face significant attack risk benefit from managed protection plus, while internal or low-risk applications can use the standard tier.

Can Cloud Armor protect backend services that are not behind a load balancer?

No. Cloud Armor policies can only be attached to backend services associated with external HTTP(S) Load Balancers (including classic and regional). Workloads exposed directly via instance IPs, internal load balancers, or other networking configurations cannot use Cloud Armor. For those workloads, use VPC firewall rules for network-level filtering or deploy a reverse proxy with Cloud Armor in front of them.

Cloud Armor Security Policy Builder

IAM & SecurityGCP

Build Cloud Armor WAF rules for rate limiting, geo-blocking, and OWASP protection with gcloud and Terraform output.

Input

Example Presets

Policy Name

Description

Rule Type

Action

Priority (0 - 2,147,483,647)

Source IP Ranges (one CIDR per line or comma-separated)

Enable Adaptive Protection (Layer 7 DDoS defense)

Output

Output will appear here...

About Cloud Armor

Standard vs Managed Protection Plus

Standard: $5/policy/mo + $1/rule/mo + $0.75/M requests. Includes IP/geo rules, rate limiting, and pre-configured WAF rules.

Managed Protection Plus: $3,000/mo. Adds adaptive protection, DDoS response support, WAF rule tuning, and bot management.

Pre-configured OWASP Rules

Cloud Armor includes ModSecurity Core Rule Set (CRS) v3.3 pre-configured rules covering SQL injection, XSS, LFI, RFI, RCE, protocol attacks, and more. Sensitivity levels 0-4 control how aggressively rules match (higher = more paranoid).

Adaptive Protection

ML-based Layer 7 DDoS defense that automatically detects and alerts on anomalous traffic patterns. Available in Standard tier with alerts; Plus tier adds auto-deploy of suggested rules.

About This Tool

Google Cloud Armor provides WAF and DDoS protection for applications behind external HTTP(S) Load Balancers, protecting against OWASP Top 10 vulnerabilities, volumetric attacks, and targeted exploits. Security policies contain prioritized rules that evaluate request attributes using custom expressions or preconfigured rule sets (ModSecurity Core Rule Set). This builder generates Cloud Armor security policy rules for rate limiting, geographic access control, IP allowlisting/denylisting, and OWASP protection, producing both gcloud CLI commands and Terraform configuration for deployment.

When to Use This Tool

•Building rate-limiting rules that throttle abusive clients by IP address with configurable thresholds and ban durations
•Creating geo-blocking policies that restrict traffic to specific countries using the origin.region_code attribute
•Configuring preconfigured WAF rules for SQL injection (sqli), cross-site scripting (xss), and remote file inclusion (rfi) protection
•Building custom rules using Cloud Armor's expression language to match on request headers, URI paths, or query parameters

Frequently Asked Questions

How does Cloud Armor rule evaluation differ from AWS WAF?: Cloud Armor evaluates rules by priority (lower numbers first), similar to AWS WAF. However, Cloud Armor uses a different expression language for custom rules and supports both allow and deny actions directly in rule definitions. Cloud Armor also includes built-in adaptive protection that uses machine learning to detect and mitigate Layer 7 DDoS attacks, which is a feature AWS provides separately through Shield Advanced. Rate limiting in Cloud Armor supports both throttle (return 429) and ban (block for a duration) actions.
What is the difference between Cloud Armor standard and managed protection plus?: Cloud Armor standard tier includes custom rules, IP allowlists/denylists, and geo-based access control with pay-per-policy pricing ($5/month per policy, $1/month per rule). Managed protection plus adds preconfigured WAF rules (OWASP CRS), adaptive protection (ML-based DDoS detection), and DDoS response support for $3,000/month per organization plus per-resource fees. Most production workloads that handle sensitive data or face significant attack risk benefit from managed protection plus, while internal or low-risk applications can use the standard tier.
Can Cloud Armor protect backend services that are not behind a load balancer?: No. Cloud Armor policies can only be attached to backend services associated with external HTTP(S) Load Balancers (including classic and regional). Workloads exposed directly via instance IPs, internal load balancers, or other networking configurations cannot use Cloud Armor. For those workloads, use VPC firewall rules for network-level filtering or deploy a reverse proxy with Cloud Armor in front of them.

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.