Google Cloud Armor
Web application firewalls (WAF)
DDoS protection software
DevSecOps software
Web security software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Google Cloud Armor and its alternatives fit your requirements.
Pay-as-you-go
Free Trial
Free version unavailable
Small
Medium
Large
- Public sector and nonprofit organizations
- Education and training
- Retail and wholesale
What is Google Cloud Armor
Google Cloud Armor is a cloud-based security service that helps protect internet-facing applications and services on Google Cloud from distributed denial-of-service (DDoS) attacks and common web threats. It is typically used by cloud and security teams to apply edge-enforced security policies to traffic reaching Google Cloud Load Balancing and related endpoints. The product combines DDoS mitigation with a web application firewall (WAF) rule engine, including managed protections and custom rules. It integrates with Google Cloud logging and monitoring to support operational workflows and incident response.
Edge-enforced DDoS mitigation
Cloud Armor provides DDoS protection that is enforced at Google’s edge before traffic reaches backend services. This helps reduce the load on origin infrastructure during volumetric attacks and supports always-on protection patterns. It is designed to work with Google Cloud’s global load balancing architecture, which can simplify protection for globally distributed applications.
WAF rules and customization
Cloud Armor includes WAF capabilities with managed protections and support for custom security policies. Teams can create allow/deny rules, rate limiting, and match conditions to address application-specific threats. This enables a single policy layer for both generic web attack patterns and environment-specific controls.
Native Google Cloud integration
The service integrates with Google Cloud Load Balancing and common Google Cloud operational tooling such as logging and monitoring. This reduces the need to deploy and manage separate security appliances for supported architectures. It also supports infrastructure-as-code and API-driven configuration, which aligns with DevSecOps workflows.
Best fit for GCP traffic
Cloud Armor is primarily designed to protect workloads fronted by Google Cloud Load Balancing and related Google Cloud entry points. Organizations with significant non-Google Cloud traffic may need additional tooling to achieve consistent controls across environments. This can introduce policy fragmentation when applications span multiple clouds or on-premises.
Rule tuning and false positives
As with many WAF products, managed rules and custom policies can require tuning to avoid blocking legitimate traffic. Application changes, new endpoints, and evolving attack patterns can necessitate ongoing adjustments. Teams may need mature testing and monitoring practices to manage false positives and exceptions safely.
Feature depth varies by use case
Some advanced application security needs (for example, highly specialized bot mitigation, complex application-layer profiling, or certain deployment models) may require complementary services. Capabilities and configuration options depend on the supported Google Cloud networking architecture. This can limit flexibility for teams that need a uniform control plane across diverse edge and delivery stacks.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Cloud Armor Standard (Pay-as-you-go) | Pay-as-you-go: Requests: $0.75 per 1,000,000 (globally scoped security policies); $0.60 per 1,000,000 (regionally scoped). Security policies: $0.006849315 per hour. Rules: $0.001369863 per hour. No data processing fee. | WAF charged per policy/rule/request. Always-on basic DDoS protection for supported load balancers and CDNs. No time commitment. (See official pricing page for full per-hour/per-request SKU details.) |
| Cloud Armor Enterprise — Paygo (enroll per project) | $200/month per project (approx. $0.27397 per hour) — includes first 2 protected resources; $200/month per protected resource after first 2. Data processing fee applies (tiered per GiB: $0.075/GiB for first 102,400 GiB; $0.06/GiB next tier; $0.05/GiB above). | Enterprise Paygo bundles WAF (rules/policy/requests included), Adaptive Protection (ML), advanced network DDoS protection, hierarchical security policies, Google Threat Intelligence, and DDoS visibility. Billing and protected-resources aggregation are at the project level. No long-term commitment. |
| Cloud Armor Enterprise — Annual (12-month subscription, billed to billing account) | $3,000/month per billing account (approx. $4.10959 per hour) — includes up to 100 protected resources across enrolled projects; $30/month per protected resource after first 100. Data processing fee (lower tiered rates): $0.05/GiB for first 102,400 GiB; $0.04/GiB next tier; $0.03/GiB above. | Enterprise Annual bundles WAF and advanced features across enrolled projects, offers DDoS bill protection and DDoS response team access (eligibility and conditions apply), and requires a 12-month commitment. Billing and protected-resources aggregation are at the billing-account level. |
Notes: Bot management (reCAPTCHA integration) is billed according to reCAPTCHA pricing. If hierarchical security policies are created in projects not enrolled in Enterprise Annual, those projects are automatically enrolled in Cloud Armor Enterprise Paygo. For full SKU-level rates and examples, see the official Cloud Armor pricing page.
Seller details
Google LLC
Mountain View, CA, USA
1998
Subsidiary
https://cloud.google.com/deep-learning-vm
https://x.com/googlecloud
https://www.linkedin.com/company/google/
