Build Cloud Armor WAF rules for rate limiting, geo-blocking, and OWASP protection with gcloud and Terraform output.
Last verified: May 2026
Output will appear here...Standard: $5/policy/mo + $1/rule/mo + $0.75/M requests. Includes IP/geo rules, rate limiting, and pre-configured WAF rules.
Managed Protection Plus: $3,000/mo. Adds adaptive protection, DDoS response support, WAF rule tuning, and bot management.
Cloud Armor includes ModSecurity Core Rule Set (CRS) v3.3 pre-configured rules covering SQL injection, XSS, LFI, RFI, RCE, protocol attacks, and more. Sensitivity levels 0-4 control how aggressively rules match (higher = more paranoid).
ML-based Layer 7 DDoS defense that automatically detects and alerts on anomalous traffic patterns. Available in Standard tier with alerts; Plus tier adds auto-deploy of suggested rules.
Google Cloud Armor provides WAF and DDoS protection for applications behind external HTTP(S) Load Balancers, protecting against OWASP Top 10 vulnerabilities, volumetric attacks, and targeted exploits. Security policies contain prioritized rules that evaluate request attributes using custom expressions or preconfigured rule sets (ModSecurity Core Rule Set). This builder generates Cloud Armor security policy rules for rate limiting, geographic access control, IP allowlisting/denylisting, and OWASP protection, producing both gcloud CLI commands and Terraform configuration for deployment.
Cloud Armor evaluates rules by priority (lower numbers first), similar to AWS WAF. However, Cloud Armor uses a different expression language for custom rules and supports both allow and deny actions directly in rule definitions. Cloud Armor also includes built-in adaptive protection that uses machine learning to detect and mitigate Layer 7 DDoS attacks, which is a feature AWS provides separately through Shield Advanced. Rate limiting in Cloud Armor supports both throttle (return 429) and ban (block for a duration) actions.
Cloud Armor standard tier includes custom rules, IP allowlists/denylists, and geo-based access control with pay-per-policy pricing ($5/month per policy, $1/month per rule). Managed protection plus adds preconfigured WAF rules (OWASP CRS), adaptive protection (ML-based DDoS detection), and DDoS response support for $3,000/month per organization plus per-resource fees. Most production workloads that handle sensitive data or face significant attack risk benefit from managed protection plus, while internal or low-risk applications can use the standard tier.
No. Cloud Armor policies can only be attached to backend services associated with external HTTP(S) Load Balancers (including classic and regional). Workloads exposed directly via instance IPs, internal load balancers, or other networking configurations cannot use Cloud Armor. For those workloads, use VPC firewall rules for network-level filtering or deploy a reverse proxy with Cloud Armor in front of them.
Your GKE-backed API is suddenly seeing a spike in SQL injection attempts targeting /api/search?q=. You build a Cloud Armor policy with the sqli-v33-stable preconfigured rule at sensitivity 2, deployed to the load balancer in front of GKE. Within 5 minutes the attack traffic is being blocked at the edge — your backends never see it, latency for legitimate users is unaffected, and you have audit logs showing every blocked request for incident reporting.
The builder generates Cloud Armor security policy rules in JSON, then formats them as gcloud compute security-policies rules create commands and Terraform google_compute_security_policy_rule resources. For preconfigured WAF rules, it embeds the appropriate evaluatePreconfiguredExpr() expression with your chosen sensitivity. For rate limiting, it constructs the rateLimitOptions block with your threshold, ban duration, and key (typically IP). All rules include explicit priority numbers and human-readable descriptions for ops visibility.
Cloud Armor's preconfigured WAF rules (sqli-v33-stable, xss-v33-stable, etc.) are versioned. When a new version drops, your existing rules don't auto-upgrade — you have to opt in. Audit your rule versions quarterly: an old version of the SQLi ruleset is missing months of new attack signatures.
Use evaluatePreconfiguredExpr() with sensitivity levels (1-4) to tune false positives. Sensitivity 1 catches only the highest-confidence attacks; sensitivity 4 catches everything but generates more false positives. Start at 2 for production and tighten based on your traffic patterns.
Adaptive Protection (in Managed Protection Plus) generates suggested rules from observed attack patterns — but it doesn't auto-apply them. Build a Cloud Function that reads the suggested rules from logs and posts them to Slack for review, so you can act on detection within minutes instead of days.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.