Google Cloud Armor (opens in new tab)

(cloud.google.com)

179 pointsmindprince8y ago50 comments

50 comments

I know people are saying this is just like Cloudflare, but there might be some real value differentiation here. Google has been doing some really advanced things in this area for a long time. I think I saw a research paper or talk from 5-10 years ago about how Google shows the impact of network policies before applying them, I just searched for it and couldn't find it[1]. The things like Preview Mode and Rich Rules Language could be very advanced.

[1] But I did find this page about their network research: https://research.google.com/teams/netsys/

puzzle8y ago

What kind of network policies? Millions of years ago, Google used Cariden software to simulate what happened when links went down, QoS changes were applied, etc. From what I recall, at some point, the size of the network, new special hardware and the need for more flexibility outgrew the tool's capabilities, so IIRC it was supplanted by in-house solutions that were more real-time and fit into the new SDN architecture.

manigandham8y ago

Preview mode isnt that special, at least in this version: https://cloud.google.com/armor/docs/security-policy-concepts

Http load balancers already log all requests. Security policies decisions will also be logged, but in preview mode won't actually affect the traffic.

EDIT: looks like advanced rules are in alpha for only certain customers...

foxylad8y ago

Interesting - given Cloudflare's real value proposition and domination of their sector, I've been half expecting Google to buy them for a year now.

Google are very good at internet plumbing, and I expect this to be a pretty compelling service. Serious competition and not being an acquisition target any more must have really hurt Cloudflare's value today.

meirelles8y ago

Apparently, they don't support external origins yet. IMHO without this feature they can't be considered a direct competitor to CloudFlare. Also, CloudFlare lately is adding a bunch of very neat features, it's not just about DDoS.

Of course, for those who are already using GCP and depending on their needs is a great alternative.

tyingq8y ago

I don't see any caching/cloud-egress-charge-avoidance here. This is only targeting a small part of Cloudflare's value proposition.

ivanfon8y ago

Not a huge fan of Google getting more control over the net. On the bright side, Cloudflare getting a serious competitor is good.

villedepommes8y ago

Agreed. I just wish it wasn't Google. They "extinguished" a lot of good projects...

killjoywashere8y ago

Meh, I think they've grown up some and see what Amazon has done. Building infrastructure services for customers adds long-term revenue. BMW doesn't make you buy fuel injectors from someone else.

deadbunny8y ago

Name one product in GCP (that had reached general release) that they have "extinguished".

villedepommes8y ago

These immediately come to mind. I'm sure there's more if I dig deeper.

  * Theano -> TF
  * The multitude of RSS readers -> Google Reader
  * Severely undermined Firefox
  * Usenet newsgroups -> Google Groups

8perezm8y ago

Google custom search

1 more reply

wslh8y ago

Many people don't realize that Cloudflare also received funding from Google: https://blog.cloudflare.com/why-we-raised-110m-from-fidelity... it seems cheaper to include it in Google Cloud than buying the company.

philip12098y ago

This would be a lot easier to use if Google added auto-https to their http load balancers. They already offer it for AppEngine custom domains.

jwandborg8y ago

If you're using GKE there's https://github.com/jetstack/cert-manager/

victor1068y ago

This is great news. Cloudflare is way too expensive. Pricing seems reasonable

Policy Charge $5 per Cloud Armor policy per month Per Rule Charge $1 per rule per policy per month Incoming Requests Charge $0.75 per million HTTP(S) requests

kentonv8y ago

> Cloudflare is way too expensive.

Eh? DDoS protection on Cloudflare is free: https://blog.cloudflare.com/unmetered-mitigation/

Which features of Google Cloud Armor are "too expensive" with Cloudflare?

(Disclosure: I'm an engineer at Cloudflare, but I'm genuinely curious what you mean here.)

developer28y ago

Not comparing to Cloud Armor, but the $200/month minimum to bring one's own tls certificate. That alone puts Cloudflare squarely on the list of unusable options for any small project or business that is running their entire production infrastructure on less than $100/month. Also, the inability to specify cache expirations below... what was it... 30 minutes or 2 hours? Again, forced to pay too much for one of the core features of a CDN.

zapita8y ago

I never thought I'd see the day when $200/month is considered "way too much" for a CDN... We've really come a long way.

Personally I use Cloudflare's free tier for lots of projects, and it has a perfectly reasonable TLS offering.

kentonv8y ago

Hmm. Cloudflare provides free TLS certificates automatically. The feature you're describing is for if you want to upload your own certificate and private key to Cloudflare for it to use on the edge. Do a lot of small projects really need that?

manigandham8y ago

Do you really need your own certificate vs using their free provisioned ones?

If you need that kind of technical details than Cloudfront or Stackpath are pretty good for low traffic sites.

foobarbazetc8y ago

Gotta add load balancing charges to this as well, but still ends up cheaper than CF in some cases.

tyingq8y ago

No caching provided either. Full on egress charges. Surely that makes the comparison apples/oranges.

dantiberian8y ago

Caching is provided with GCP HTTPS load balancers, it’s just not specified here.

1 more reply

Elect28y ago

Here's a comparison of Google Armor vs. AWS WAF vs. CloudFlare: https://www.chooseacloud.com/waf

Dawny338y ago

How does it compare to its Azure counterpart? (https://azure.microsoft.com/en-in/services/ddos-protection/)

deno8y ago

Azure differentiates itself here by aligning their interests with the customers’ interests. They’re not first do that either. For example, another major hosting provider, OVH, bundles DDoS protection in their basic service.

Google’s model de facto means they’re just running another protection racket, that is they make more money the more DDoS attacks there are.

From Azure’s website:

> Protection against unplanned costs

> Our cost protection provides service credits for resource costs which are incurred as a result of a documented DDoS attack.

xstartup8y ago

Kubernetes doesn't support multi-region load balancing with GSLB yet.

manigandham8y ago

How is that related to security policies?

Also you can't run a GKE cluster across multiple regions, only multiple zones. If you have multiple clusters in different regions, you can use a NodePort service on each and manually setup a GSLB with a backend pointing to all of the GKE clusters.

There is a solution being worked on though, called multi-cluster ingress: https://github.com/GoogleCloudPlatform/k8s-multicluster-ingr...

puzzle8y ago

Running a Kubernetes cluster across multiple regions is not a great idea. You can set up a federation of clusters, but GKE doesn't seem to support that yet, so you need to create and manage the federated control plane yourself. And there's no standard way at the moment to have generic cross-cluster networking, like you easily could with Borg. So you can load balance external requests to a number of clusters, as you explain, but currently it's easier if each cluster is self-sufficient and doesn't need to refer to internal services in other clusters.

manigandham8y ago

I didn't say anything about K8S across regions, it's fundamentally not designed for it anyway.

GKE doesn't support federation because it's not a final feature either, it was beta at best and is now being revised and renamed to "multi-cluster": https://github.com/kubernetes/community/tree/master/sig-mult...

If you need to reach services between clusters, that's completely different from ingress. Ingress is about external access to cluster services.

You can still use an authentication layer and expose everything through an ingress, or use internal IPs for the services/containers which are already routable in GCP's network across regions. A headless service to get the IPs and a cron job to sync these to a public DNS system will give you the same thing federation does for cross-cluster service discovery. There are also apps like ExternalDNS that'll do it for you: https://github.com/kubernetes-incubator/external-dns

philip12098y ago

I'm trying to enable Cloud Armor to play around with it, but it just looks like a firewall. I don't see a simple way to just "turn it on" - it looks like you have to create an IP address-based policy. It's unclear to me whether there is any kind of adaptive DDOS protection.

nenrek8y ago

Honestly thought this was an early April fool's joke base on the headline alone.

greatamerican8y ago

Nice. Cloudflare has had no competition for too long.

ktta8y ago

Cloudflare is 'dominating' because of their free tier. There are other services actual companies use. Fastly, Akamai, AWS Cloudfront, CacheFly and more.

notamy8y ago

CF having that free tier is a HUGE reason me and people I know stick with it. None of us want to have to throw money at a CF-like service for a low-traffic site, or for an MVP, or... At some point, it definitely becomes worth it, but Cloudflare's free tier is a HUGE boon early on imho.

manigandham8y ago

They also provide incredible value at the pro and business tiers while other providers cost thousands for less features.

Fastly was good for technical setups but Cloudflare Workers blows away Varnish VCL config.

tssva8y ago

No competition? There are many CDN and DDOS protection services. Cloudflare's own copy claims they have 35% of the market which indicates there is certainly competition out there.

viraptor8y ago

Have you actually used them? I only have sample of n=3, but CloudFlare does some things much better than others.

mike_j8y ago

Dyndns?

samat8y ago

Is GCA able to cache responses with proper cache headers or does it pass through everything without caching?

vim_wannabe8y ago

Is it true that sites routed via Cloudflare are blocked in certain countries like China? Would this work better?

andrem8y ago

Just to clarify - Cloudflare have POPs behind the great firewall of china in cooperation with Baidu. That is not to say Cloudflare routed sites are all accessible through CF, but it's certainly not a blanket statement either way.

Not sure if this would work better.

Elect28y ago

Yes but you need a "license" given by Chinese Gov. Otherwise your website will still be routed to edges outside of China. And the bigger problem is the CloudFlare DNS, it is not working well in China.

vim_wannabe8y ago

Ah, thank you.

shenki08y ago

googleflare

mdekkers8y ago

Many, many years ago, a new product or service announcement from Google would leave me interested and excited. Now I just shrug and wonder when it will be abandoned.

jacksmith210068y ago

Wasn't it Google that uncovered Cloud Bleed? Think Google solution is going to be more secure then something from Cloudflare.

j / k navigate · click thread line to collapse

50 comments

antoncohen8y ago

[1] But I did find this page about their network research: https://research.google.com/teams/netsys/

puzzle8y ago

manigandham8y ago

Preview mode isnt that special, at least in this version: https://cloud.google.com/armor/docs/security-policy-concepts

Http load balancers already log all requests. Security policies decisions will also be logged, but in preview mode won't actually affect the traffic.

EDIT: looks like advanced rules are in alpha for only certain customers...

foxylad8y ago

Interesting - given Cloudflare's real value proposition and domination of their sector, I've been half expecting Google to buy them for a year now.

meirelles8y ago

Of course, for those who are already using GCP and depending on their needs is a great alternative.

tyingq8y ago

I don't see any caching/cloud-egress-charge-avoidance here. This is only targeting a small part of Cloudflare's value proposition.

ivanfon8y ago

Not a huge fan of Google getting more control over the net. On the bright side, Cloudflare getting a serious competitor is good.

villedepommes8y ago

Agreed. I just wish it wasn't Google. They "extinguished" a lot of good projects...

killjoywashere8y ago

Meh, I think they've grown up some and see what Amazon has done. Building infrastructure services for customers adds long-term revenue. BMW doesn't make you buy fuel injectors from someone else.

deadbunny8y ago

Name one product in GCP (that had reached general release) that they have "extinguished".

villedepommes8y ago

These immediately come to mind. I'm sure there's more if I dig deeper.

  * Theano -> TF
  * The multitude of RSS readers -> Google Reader
  * Severely undermined Firefox
  * Usenet newsgroups -> Google Groups

8perezm8y ago

Google custom search

1 more reply

wslh8y ago

philip12098y ago

This would be a lot easier to use if Google added auto-https to their http load balancers. They already offer it for AppEngine custom domains.

jwandborg8y ago

If you're using GKE there's https://github.com/jetstack/cert-manager/

victor1068y ago

This is great news. Cloudflare is way too expensive. Pricing seems reasonable

Policy Charge $5 per Cloud Armor policy per month Per Rule Charge $1 per rule per policy per month Incoming Requests Charge $0.75 per million HTTP(S) requests

kentonv8y ago

> Cloudflare is way too expensive.

Eh? DDoS protection on Cloudflare is free: https://blog.cloudflare.com/unmetered-mitigation/

Which features of Google Cloud Armor are "too expensive" with Cloudflare?

(Disclosure: I'm an engineer at Cloudflare, but I'm genuinely curious what you mean here.)

developer28y ago

zapita8y ago

I never thought I'd see the day when $200/month is considered "way too much" for a CDN... We've really come a long way.

Personally I use Cloudflare's free tier for lots of projects, and it has a perfectly reasonable TLS offering.

kentonv8y ago

manigandham8y ago

Do you really need your own certificate vs using their free provisioned ones?

If you need that kind of technical details than Cloudfront or Stackpath are pretty good for low traffic sites.

foobarbazetc8y ago

Gotta add load balancing charges to this as well, but still ends up cheaper than CF in some cases.

tyingq8y ago

No caching provided either. Full on egress charges. Surely that makes the comparison apples/oranges.

dantiberian8y ago

Caching is provided with GCP HTTPS load balancers, it’s just not specified here.

1 more reply

Elect28y ago

Here's a comparison of Google Armor vs. AWS WAF vs. CloudFlare: https://www.chooseacloud.com/waf

Dawny338y ago

How does it compare to its Azure counterpart? (https://azure.microsoft.com/en-in/services/ddos-protection/)

deno8y ago

Google’s model de facto means they’re just running another protection racket, that is they make more money the more DDoS attacks there are.

From Azure’s website:

> Protection against unplanned costs

> Our cost protection provides service credits for resource costs which are incurred as a result of a documented DDoS attack.

xstartup8y ago

Kubernetes doesn't support multi-region load balancing with GSLB yet.

manigandham8y ago

How is that related to security policies?

There is a solution being worked on though, called multi-cluster ingress: https://github.com/GoogleCloudPlatform/k8s-multicluster-ingr...

puzzle8y ago

manigandham8y ago

I didn't say anything about K8S across regions, it's fundamentally not designed for it anyway.

If you need to reach services between clusters, that's completely different from ingress. Ingress is about external access to cluster services.

philip12098y ago

nenrek8y ago

Honestly thought this was an early April fool's joke base on the headline alone.

greatamerican8y ago

Nice. Cloudflare has had no competition for too long.

ktta8y ago

Cloudflare is 'dominating' because of their free tier. There are other services actual companies use. Fastly, Akamai, AWS Cloudfront, CacheFly and more.

notamy8y ago

manigandham8y ago

They also provide incredible value at the pro and business tiers while other providers cost thousands for less features.

Fastly was good for technical setups but Cloudflare Workers blows away Varnish VCL config.

tssva8y ago

No competition? There are many CDN and DDOS protection services. Cloudflare's own copy claims they have 35% of the market which indicates there is certainly competition out there.

viraptor8y ago

Have you actually used them? I only have sample of n=3, but CloudFlare does some things much better than others.

mike_j8y ago

Dyndns?

samat8y ago

Is GCA able to cache responses with proper cache headers or does it pass through everything without caching?

vim_wannabe8y ago

Is it true that sites routed via Cloudflare are blocked in certain countries like China? Would this work better?

andrem8y ago

Not sure if this would work better.

Elect28y ago

vim_wannabe8y ago

Ah, thank you.

shenki08y ago

googleflare

mdekkers8y ago

Many, many years ago, a new product or service announcement from Google would leave me interested and excited. Now I just shrug and wonder when it will be abandoned.

jacksmith210068y ago

Wasn't it Google that uncovered Cloud Bleed? Think Google solution is going to be more secure then something from Cloudflare.

j / k navigate · click thread line to collapse