Google Cloud Armor WAF

A deep dive into the OWASP Core Rule Set (CRS) used by Google Cloud Armor. Understand the regex behind the rules and how to tune them for your application.

Rule Explorer

Select a Cloud Armor preconfigured rule set to see what it detects and the types of regex patterns it uses.

Select a Rule

evaluatePreconfiguredWaf('...')

What it Blocks

...

Regex Logic (Simplified)

...

Common False Positives

Tailoring Rules to Your App

1. Sensitivity Levels

Cloud Armor maps to OWASP "Paranoia Levels". Level 1 is safe; Level 4 is extreme.

Level 1 Default. Blocks obvious attacks.
Level 2 Blocks hex encoding (e.g., %41).
Level 3-4 High false positives. Specialized use only.

2. Preview Mode

Never turn on a rule in "Block" mode immediately. Use Preview Mode to log what would have happened.

gcloud compute security-policies rules update 1000 \
--preview

Analyze Cloud Logging for previewSecurityPolicy entries to find false positives before going live.

3. Custom Exclusions

Don't disable a whole rule for one noisy field. Exclude specific headers or cookies from inspection.

evaluatePreconfiguredWaf('sqli-v33-stable', {
  "exclude_request_headers": ["auth-token"]
})

This keeps SQLi protection active for the rest of the request, ignoring only the auth-token.

Advanced Defense Strategies

Rate Limiting

Don't just block bad payloads; block excessive traffic. Throttling prevents brute-force login attempts and aggressive scrapers.

rate_limit_options: {
  rate_limit_threshold: { count: 100, interval_sec: 60 }
  enforce_on_key: "IP"
}

Geo-Fencing

Reduce your attack surface by blocking traffic from countries where you do not do business.

origin.region_code == 'RU' || origin.region_code == 'CN'
// Action: Deny 403

Bot Management

Integrate reCAPTCHA Enterprise to challenge suspicious traffic before it hits your backend.

token.recaptcha_session.score < 0.4
// Action: Redirect to Challenge Page

Positive Security

Instead of chasing bad traffic, strictly define "Good" traffic (e.g., specific methods or headers) and block everything else.

!request.method.matches('^(GET|POST)$')
// Action: Deny 405 (Method Not Allowed)

How It Works: Under the Hood

Edge Enforcement

Cloud Armor sits at the Google Network Edge (PoPs). Malicious traffic is dropped before it enters your VPC, saving your load balancers and backend instances from processing junk requests.

Adaptive Protection (ML)

Google's machine learning models learn your app's "normal" traffic. If it detects an anomaly (like a sudden spike from a specific User-Agent), it will generate a recommended rule for you to block the attack with one click.

Priority Hierarchy

Rules are evaluated from 0 (Highest) to 2,147,483,647 (Lowest). Processing stops at the first match.

Pro Tip: Always place your specific "Deny" rules (e.g., SQLi Block) at a higher priority (lower number) than your broad "Allow" rules to prevent accidental bypasses.