
Google Cloud Armor - mindprince
https://cloud.google.com/armor/
======
antoncohen
I know people are saying this is just like Cloudflare, but there might be some
real value differentiation here. Google has been doing some really advanced
things in this area for a long time. I think I saw a research paper or talk
from 5-10 years ago about how Google shows the impact of network policies
before applying them, I just searched for it and couldn't find it[1]. The
things like _Preview Mode_ and _Rich Rules Language_ could be very advanced.

[1] But I did find this page about their network research:
[https://research.google.com/teams/netsys/](https://research.google.com/teams/netsys/)

~~~
puzzle
What kind of network policies? Millions of years ago, Google used Cariden
software to simulate what happened when links went down, QoS changes were
applied, etc. From what I recall, at some point, the size of the network, new
special hardware and the need for more flexibility outgrew the tool's
capabilities, so IIRC it was supplanted by in-house solutions that were more
real-time and fit into the new SDN architecture.

------
foxylad
Interesting - given Cloudflare's real value proposition and domination of
their sector, I've been half expecting Google to buy them for a year now.

Google are very good at internet plumbing, and I expect this to be a pretty
compelling service. Serious competition and not being an acquisition target
any more must have really hurt Cloudflare's value today.

~~~
meirelles
Apparently, they don't support external origins yet. IMHO without this feature
they can't be considered a direct competitor to CloudFlare. Also, CloudFlare
lately is adding a bunch of very neat features, it's not just about DDoS.

Of course, for those who are already using GCP and depending on their needs is
a great alternative.

------
ivanfon
Not a huge fan of Google getting more control over the net. On the bright
side, Cloudflare getting a serious competitor is good.

~~~
villedepommes
Agreed. I just wish it wasn't Google. They "extinguished" a lot of good
projects...

~~~
deadbunny
Name one product in GCP (that had reached general release) that they have
"extinguished".

~~~
8perezm
Google custom search

~~~
deadbunny
Not part of GCP. Yes they have a history of shutting down free services but
things in GCP don't get shut down, they are products, products people pay for.

------
wslh
Many people don't realize that Cloudflare also received funding from Google:
[https://blog.cloudflare.com/why-we-raised-110m-from-
fidelity...](https://blog.cloudflare.com/why-we-raised-110m-from-fidelity-
google-microsoft-baidu-and-qualcomm/) it seems cheaper to include it in Google
Cloud than buying the company.

------
philip1209
This would be a lot easier to use if Google added auto-https to their http
load balancers. They already offer it for AppEngine custom domains.

~~~
jwandborg
If you're using GKE there's [https://github.com/jetstack/cert-
manager/](https://github.com/jetstack/cert-manager/)

------
victor106
This is great news. Cloudflare is way too expensive. Pricing seems reasonable

Policy Charge $5 per Cloud Armor policy per month Per Rule Charge $1 per rule
per policy per month Incoming Requests Charge $0.75 per million HTTP(S)
requests

~~~
kentonv
> Cloudflare is way too expensive.

Eh? DDoS protection on Cloudflare is free:
[https://blog.cloudflare.com/unmetered-
mitigation/](https://blog.cloudflare.com/unmetered-mitigation/)

Which features of Google Cloud Armor are "too expensive" with Cloudflare?

(Disclosure: I'm an engineer at Cloudflare, but I'm genuinely curious what you
mean here.)

~~~
developer2
Not comparing to Cloud Armor, but the $200/month minimum to bring one's own
tls certificate. That alone puts Cloudflare squarely on the list of unusable
options for any small project or business that is running their entire
production infrastructure on less than $100/month. Also, the inability to
specify cache expirations below... what was it... 30 minutes or 2 hours?
Again, forced to pay too much for one of the core features of a CDN.

~~~
zapita
I never thought I'd see the day when $200/month is considered "way too much"
for a CDN... We've really come a long way.

Personally I use Cloudflare's free tier for lots of projects, and it has a
perfectly reasonable TLS offering.

------
Elect2
Here's a comparison of Google Armor vs. AWS WAF vs. CloudFlare:
[https://www.chooseacloud.com/waf](https://www.chooseacloud.com/waf)

------
Dawny33
How does it compare to its Azure counterpart?
([https://azure.microsoft.com/en-in/services/ddos-
protection/](https://azure.microsoft.com/en-in/services/ddos-protection/))

~~~
deno
Azure differentiates itself here by aligning their interests with the
customers’ interests. They’re not first do that either. For example, another
major hosting provider, OVH, bundles DDoS protection in their basic service.

Google’s model de facto means they’re just running another protection racket,
that is they make more money the more DDoS attacks there are.

From Azure’s website:

> Protection against unplanned costs

> Our cost protection provides service credits for resource costs which are
> incurred as a result of a documented DDoS attack.

------
xstartup
Kubernetes doesn't support multi-region load balancing with GSLB yet.

~~~
manigandham
How is that related to security policies?

Also you can't run a GKE cluster across multiple regions, only multiple zones.
If you have multiple clusters in different regions, you can use a NodePort
service on each and manually setup a GSLB with a backend pointing to all of
the GKE clusters.

There is a solution being worked on though, called multi-cluster ingress:
[https://github.com/GoogleCloudPlatform/k8s-multicluster-
ingr...](https://github.com/GoogleCloudPlatform/k8s-multicluster-ingress)

~~~
puzzle
Running a Kubernetes cluster across multiple regions is not a great idea. You
can set up a federation of clusters, but GKE doesn't seem to support that yet,
so you need to create and manage the federated control plane yourself. And
there's no standard way at the moment to have generic cross-cluster
networking, like you easily could with Borg. So you can load balance external
requests to a number of clusters, as you explain, but currently it's easier if
each cluster is self-sufficient and doesn't need to refer to internal services
in other clusters.

~~~
manigandham
I didn't say anything about K8S across regions, it's fundamentally not
designed for it anyway.

GKE doesn't support federation because it's not a final feature either, it was
beta at best and is now being revised and renamed to "multi-cluster":
[https://github.com/kubernetes/community/tree/master/sig-
mult...](https://github.com/kubernetes/community/tree/master/sig-multicluster)

If you need to reach services between clusters, that's completely different
from ingress. Ingress is about external access to cluster services.

You can still use an authentication layer and expose everything through an
ingress, or use internal IPs for the services/containers which are already
routable in GCP's network across regions. A headless service to get the IPs
and a cron job to sync these to a public DNS system will give you the same
thing federation does for cross-cluster service discovery. There are also apps
like ExternalDNS that'll do it for you: [https://github.com/kubernetes-
incubator/external-dns](https://github.com/kubernetes-incubator/external-dns)

------
philip1209
I'm trying to enable Cloud Armor to play around with it, but it just looks
like a firewall. I don't see a simple way to just "turn it on" \- it looks
like you have to create an IP address-based policy. It's unclear to me whether
there is any kind of adaptive DDOS protection.

------
nenrek
Honestly thought this was an early April fool's joke base on the headline
alone.

------
greatamerican
Nice. Cloudflare has had no competition for too long.

~~~
ktta
Cloudflare is 'dominating' because of their free tier. There are other
services actual companies use. Fastly, Akamai, AWS Cloudfront, CacheFly and
more.

~~~
notamy
CF having that free tier is a HUGE reason me and people I know stick with it.
None of us want to have to throw money at a CF-like service for a low-traffic
site, or for an MVP, or... At some point, it definitely becomes worth it, but
Cloudflare's free tier is a HUGE boon early on imho.

------
samat
Is GCA able to cache responses with proper cache headers or does it pass
through everything without caching?

------
vim_wannabe
Is it true that sites routed via Cloudflare are blocked in certain countries
like China? Would this work better?

~~~
andrem
Just to clarify - Cloudflare have POPs behind the great firewall of china in
cooperation with Baidu. That is not to say Cloudflare routed sites are all
accessible through CF, but it's certainly not a blanket statement either way.

Not sure if this would work better.

~~~
Elect2
Yes but you need a "license" given by Chinese Gov. Otherwise your website will
still be routed to edges outside of China. And the bigger problem is the
CloudFlare DNS, it is not working well in China.

------
shenki0
googleflare

------
mdekkers
Many, many years ago, a new product or service announcement from Google would
leave me interested and excited. Now I just shrug and wonder when it will be
abandoned.

------
jacksmith21006
Wasn't it Google that uncovered Cloud Bleed? Think Google solution is going to
be more secure then something from Cloudflare.

