What are preconfigured WAF rules in Cloud Armor?

Preconfigured WAF rules are based on the OWASP ModSecurity Core Rule Set and detect common web attacks including SQL injection (sqli), cross-site scripting (xss), local file inclusion (lfi), remote file inclusion (rfi), remote code execution (rce), method enforcement, scanner detection, and protocol attacks. Each rule set can be enabled at different sensitivity levels (1-4), with higher levels catching more attacks but increasing false positive risk. You can also exclude specific rules within a set to reduce false positives for your application.

How does Cloud Armor rate limiting work?

Rate limiting rules enforce a maximum request count per client over a configurable time window. You can rate limit by source IP, HTTP header values, or XFF (X-Forwarded-For) IP addresses. When a client exceeds the threshold, Cloud Armor can block subsequent requests (returning 429), redirect them to a reCAPTCHA challenge, or throttle by dropping a percentage of requests. Rate limits are enforced at Google's edge network, meaning abusive traffic is stopped before reaching your backend.

What is Cloud Armor adaptive protection?

Adaptive protection uses machine learning to analyze traffic patterns and automatically detect L7 DDoS attacks. When it detects an anomaly, it generates a suggested WAF rule with a confidence score that you can review and deploy. In auto-deploy mode, rules above a configurable confidence threshold are deployed automatically. Adaptive protection is particularly useful for attacks that are difficult to distinguish from legitimate traffic using static rules alone.

GCP Cloud Armor WAF Policy Builder

IAM & SecurityGCP

Build Cloud Armor WAF security policies with preconfigured rules and rate limiting.

Last verified: May 2026

Cloud Armor Policy Configuration

Policy Name

Description

Enable Adaptive Protection (Layer 7 DDoS defense)

Rule 1

Priority

Action

Match Type

Description

Source IP Ranges

Preview mode (log only, don't enforce)

Policy name is required

Generated Cloud Armor Policy

Output will appear here...

About This Tool

Google Cloud Armor provides DDoS protection and web application firewall (WAF) capabilities for applications behind Google Cloud Load Balancers. Security policies contain rules that evaluate incoming requests against conditions like IP address ranges, geographic locations, or WAF expression language predicates that inspect headers, cookies, and request bodies for attack patterns. This builder helps you create security policies with correct rule priorities, match conditions, preconfigured WAF rule sets (OWASP ModSecurity Core Rule Set), rate limiting configurations, and adaptive protection settings.

Real-World Scenario

Your team's API has been getting hit with SQL injection attempts ramping up over the past week. The builder generates a Cloud Armor policy with: preconfigured `sqli-v33-stable` rule at sensitivity 1 in count mode, `xss-v33-stable` at sensitivity 1 in count mode, plus a rate-limit rule throttling >100 req/min from any source IP. After 3 days of count-mode validation, you flip the WAF rules to deny mode. SQL injection attempts drop to zero at the edge; legitimate traffic is unaffected. Backend ops team reports observable load reduction from blocked malicious traffic.

When to Use This Tool

•Building a Cloud Armor policy that blocks traffic from specific countries and known malicious IP ranges while allowing all other traffic
•Creating WAF rules that detect and block SQL injection and cross-site scripting attempts using preconfigured OWASP ModSecurity rules
•Configuring rate limiting rules that throttle requests per IP address to prevent application-layer DDoS attacks and brute-force login attempts
•Generating security policies with adaptive protection that automatically detects and mitigates volumetric L7 attacks

Pro Tips

TIP

Always START Cloud Armor rules in `count` action mode (not `deny`). Count logs matches without blocking. Run for at least 1 week to identify false positives, then switch to deny. Going straight to `deny` with WAF rules guarantees blocking some legitimate users — and you won't know which until they complain.

TIP

Preconfigured WAF rules at sensitivity level 1 catch ~70% of attacks with very low false positive rate. Level 4 catches more but generates significant noise. Start at level 1, tune exceptions, only escalate sensitivity if you see actual attacks slipping through.

TIP

Adaptive Protection's auto-deploy mode is risky — ML-suggested rules can have unintended consequences. Always review suggested rules manually before deploy, at least for the first few months. Once you build confidence in the model's accuracy, you can enable auto-deploy at high confidence thresholds (e.g., 99%+).

How It Works Under the Hood

The builder generates Cloud Armor security policies with rules at specified priorities. Each rule has: match condition (srcIpRanges, expression in CEL, preconfiguredWafConfig with rule set + sensitivity), action (allow, deny-403, redirect-to-recaptcha, throttle), and optional rateLimitOptions for rate limiting rules. Output is generated as gcloud compute security-policies commands and Terraform google_compute_security_policy resources.

Frequently Asked Questions

What are preconfigured WAF rules in Cloud Armor?: Preconfigured WAF rules are based on the OWASP ModSecurity Core Rule Set and detect common web attacks including SQL injection (sqli), cross-site scripting (xss), local file inclusion (lfi), remote file inclusion (rfi), remote code execution (rce), method enforcement, scanner detection, and protocol attacks. Each rule set can be enabled at different sensitivity levels (1-4), with higher levels catching more attacks but increasing false positive risk. You can also exclude specific rules within a set to reduce false positives for your application.
How does Cloud Armor rate limiting work?: Rate limiting rules enforce a maximum request count per client over a configurable time window. You can rate limit by source IP, HTTP header values, or XFF (X-Forwarded-For) IP addresses. When a client exceeds the threshold, Cloud Armor can block subsequent requests (returning 429), redirect them to a reCAPTCHA challenge, or throttle by dropping a percentage of requests. Rate limits are enforced at Google's edge network, meaning abusive traffic is stopped before reaching your backend.
What is Cloud Armor adaptive protection?: Adaptive protection uses machine learning to analyze traffic patterns and automatically detect L7 DDoS attacks. When it detects an anomaly, it generates a suggested WAF rule with a confidence score that you can review and deploy. In auto-deploy mode, rules above a configurable confidence threshold are deployed automatically. Adaptive protection is particularly useful for attacks that are difficult to distinguish from legitimate traffic using static rules alone.

Featured In

WAF Configuration Across Clouds: AWS WAF, Azure WAF, and Cloud Armor

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.

GCP Cloud Armor WAF Policy Builder

IAM & SecurityGCP

Build Cloud Armor WAF security policies with preconfigured rules and rate limiting.

Last verified: May 2026

Cloud Armor Policy Configuration

Policy Name

Description

Enable Adaptive Protection (Layer 7 DDoS defense)

Rule 1

Priority

Action

Match Type

Description

Source IP Ranges

Preview mode (log only, don't enforce)

Policy name is required

Generated Cloud Armor Policy

Output will appear here...

About This Tool

Real-World Scenario

When to Use This Tool

•Building a Cloud Armor policy that blocks traffic from specific countries and known malicious IP ranges while allowing all other traffic
•Creating WAF rules that detect and block SQL injection and cross-site scripting attempts using preconfigured OWASP ModSecurity rules
•Configuring rate limiting rules that throttle requests per IP address to prevent application-layer DDoS attacks and brute-force login attempts
•Generating security policies with adaptive protection that automatically detects and mitigates volumetric L7 attacks

Pro Tips

TIP

How It Works Under the Hood

Frequently Asked Questions

What are preconfigured WAF rules in Cloud Armor?: Preconfigured WAF rules are based on the OWASP ModSecurity Core Rule Set and detect common web attacks including SQL injection (sqli), cross-site scripting (xss), local file inclusion (lfi), remote file inclusion (rfi), remote code execution (rce), method enforcement, scanner detection, and protocol attacks. Each rule set can be enabled at different sensitivity levels (1-4), with higher levels catching more attacks but increasing false positive risk. You can also exclude specific rules within a set to reduce false positives for your application.
How does Cloud Armor rate limiting work?: Rate limiting rules enforce a maximum request count per client over a configurable time window. You can rate limit by source IP, HTTP header values, or XFF (X-Forwarded-For) IP addresses. When a client exceeds the threshold, Cloud Armor can block subsequent requests (returning 429), redirect them to a reCAPTCHA challenge, or throttle by dropping a percentage of requests. Rate limits are enforced at Google's edge network, meaning abusive traffic is stopped before reaching your backend.
What is Cloud Armor adaptive protection?: Adaptive protection uses machine learning to analyze traffic patterns and automatically detect L7 DDoS attacks. When it detects an anomaly, it generates a suggested WAF rule with a confidence score that you can review and deploy. In auto-deploy mode, rules above a configurable confidence threshold are deployed automatically. Adaptive protection is particularly useful for attacks that are difficult to distinguish from legitimate traffic using static rules alone.

Featured In

WAF Configuration Across Clouds: AWS WAF, Azure WAF, and Cloud Armor

Was this tool helpful?