TTechclick ⚡ XP 0% All lessons
GCP · Network · Cloud Armor & FirewallInteractive · L1 / L2 / L3

GCP Cloud Armor & VPC Firewall: — Edge DDoS, WAF and Network Defense

A SQL-injection flood hits your public app and, an hour later, a compromised web VM tries to crawl your database tier. One attack, two very different doors — and Google Cloud gives you a different guard for each. This lesson makes you fluent in both: Cloud Armor at the edge and the VPC firewall inside.

📅 2026-06-11 · ⏱ 13 min · 3 live demos · 4 infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

GCP Cloud Armor & VPC firewall for L1/L2 engineers and the Professional Cloud Security Engineer exam: edge WAF + DDoS, OWASP SQLi/XSS rules, rate-limiting, and east-west firewall rules done right.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Two layers

Edge WAF vs VPC firewall — who guards which door.

 2

Firewall done right

Priority, tags vs SAs, implied deny, egress lock-down.

 3

Cloud Armor

OWASP rules, rate-limit, bots, geo, adaptive ML.

 4

Put it together

Block an SQLi flood + bad bot, plus the cheat-sheet.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A bot is sending SQL-injection payloads to your public website hosted behind a Google external load balancer. Which control is built to spot and block that?

Answered in Two layers.

2. Two VPC firewall rules could match the same packet: one at priority 1000 allows it, one at priority 2000 denies it. What happens?

Answered in Cloud Armor.

3. In a brand-new VPC with no rules you create, can a VM make outbound connections to the internet by default?

Answered in Firewall done right.

Most engineers think…

Most engineers hear "GCP firewall" and "Cloud Armor" and assume they're two names for the same thing — or that turning on Cloud Armor means you can skip writing firewall rules.

Wrong — and that gap is exactly how breaches spread. They operate at different layers and on different traffic. Cloud Armor is an L7 web-application firewall + DDoS service that sits at the edge, on the external Application Load Balancer, and inspects the content of HTTP requests (it can read a SQLi payload). VPC firewall rules are L3-L4, attached to the VPC network, and control which workloads can talk to which — including the east-west, VM-to-VM traffic Cloud Armor never even sees. Cloud Armor stops the web attack at the front door; the VPC firewall stops the attacker walking sideways once they're inside. You need both.

① Two layers of GCP network defence

Picture Sneha, an L1 cloud-security engineer at Flipkart, on her first on-call week. Two alerts land within the hour. The first: a burst of SQL-injection requests hammering the public checkout site. The second, later: one of the web servers behind that site has started probing TCP 5432 on the database subnet — a host that should never initiate database connections directly. Same incident, but the two problems live at two completely different layers, and Google Cloud hands her a different tool for each.

The first is a north-south, application-layer problem: bad HTTP coming from the internet into the app. The right guard is Cloud Armor — a WAF that runs in Google's edge, attached to the external Application Load Balancer. It reads the request itself and can recognise a SQLi or XSS string before it ever touches a server.

The second is an east-west, network-layer problem: one internal workload talking to another it shouldn't. The right guard is the VPC firewall — stateful L3-L4 rules attached to the VPC network. The firewall doesn't know or care what HTTP is; it decides whether the web tier is even allowed to open a connection to the database tier. Cloud Armor never sees that VM-to-VM traffic at all.

👉 So far: two layers — Cloud Armor (L7, edge, north-south) and the VPC firewall (L3-L4, inside, east-west). Next: see them side by side and where each one physically sits.

Here's the shape to hold in your head. The VPC firewall is built into every VPC and is always on: it has an implied deny-ingress rule so nothing reaches a VM unless a rule you wrote says yes. Cloud Armor is opt-in: you create a security policy and attach it to your load balancer's backend service. One protects the perimeter of your app; the other segments the inside.

Figure 1 — Two layers of defence — edge WAF and internal firewall
Cloud Armor guards the front door at the load balancer edge; VPC firewall rules guard the doors between your subnets inside A two-layer Google Cloud network defence. The internet on the left is untrusted. A Cloud Armor security policy is attached to the external Application Load Balancer at the Google edge, inspecting Layer 7 HTTP requests and blocking DDoS, SQL injection and cross-site scripting before traffic ever reaches a VM. Behind the load balancer sits one VPC network with a web subnet and a database subnet. VPC firewall rules attached to the network control east-west traffic between the web tier and the database tier by network tag or service account, with an implied deny-ingress rule at the bottom. Red marks the untrusted internet, amber marks the two policy-decision layers, blue marks the trusted inspected interior, green marks allowed flows. Two layers — Cloud Armor at the edge (north-south), VPC firewall inside (east-west) Internetbots, scanners,SQLi, XSS, L7 DDoSuntrusted by default Cloud Armoredge WAF + DDoSon the Application LB• OWASP preconfigured rules• rate-limit + bot defence• geo / IP allow-deny• adaptive protection (ML)runs in Google's edge VPC network — prod-vpc (10.10.0.0/16) web subnet10.10.1.0/24tag: web · SA: web@… db subnet10.10.2.0/24tag: db · SA: db@… VPC firewall rule — allow tcp:5432 from tag:web → tag:db (pri 1000) implied deny-ingress (pri 65535) — everything else dropped east-west clean north-south traffic Key idea: Cloud Armor blocks the web attack; the firewall stops the lateral move if one host is owned untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed
Read left to right: untrusted internet → Cloud Armor at the LB edge (L7) → clean traffic enters the VPC → VPC firewall rules govern web↔db (east-west). Notice the firewall has no idea about HTTP; Cloud Armor never sees the web↔db hop.

Edge vs inside, in one tap each

Tap each card — this is the mental split every GCP network question (and interview) tests.

🌐
Cloud Armor (edge)
tap to flip

L7 WAF + DDoS on the external Application LB. Reads the HTTP request. So: it stops SQLi/XSS/bots before any VM is touched.

🧱
VPC firewall (inside)
tap to flip

L3-L4 stateful rules on the VPC. Matches IP/port/protocol per target. So: it decides which workloads may talk — east-west containment.

🧭
Direction
tap to flip

Cloud Armor = north-south (internet↔app). Firewall = mostly east-west (VM↔VM). So: a breach needs you to win on both axes.

🔒
Default posture
tap to flip

Firewall: ingress denied, egress allowed, by implied rules. Cloud Armor: opt-in, attach a policy. So: the firewall is already guarding; Armor you must switch on.

Daily-life analogy — the society gate vs the flat door

Think of a Mumbai housing society. Cloud Armor is the main gate with the security guard and the visitor register: every outsider is screened at the boundary, and a known troublemaker (a SQLi bot) is turned away before they even enter the compound. The VPC firewall is the lock on each individual flat door: even a person already inside the compound can't just walk into your flat. A delivery boy (the web tier) might be allowed up to the 4th floor (the db tier) only for a specific reason. Screen at the gate and lock the doors — relying on one alone is how trouble spreads.

Quick check · Q1 of 10

Rahul at Infosys says: "We put a Cloud Armor policy on our load balancer, so we don't really need VPC firewall rules between our app and database tiers, right?" What's the correct response?

Correct: d. Cloud Armor sits at the load-balancer edge and inspects north-south L7 HTTP; it never sees east-west VM-to-VM traffic, so segmentation between app and db tiers is still the VPC firewall's job. It doesn't inspect VM-to-VM at all; the implied allow-egress is about outbound, not inbound segmentation; and the cost point is irrelevant to the architecture.

Pause & Predict

Predict: an attacker fully compromises one web-tier VM that's behind Cloud Armor. Cloud Armor is doing its job at the edge. Why might the VPC firewall still be the thing that saves you? Type your guess.

Answer: Because the attacker is now inside the perimeter — their malicious traffic to the database tier is east-west VM-to-VM, which never passes back through Cloud Armor at the edge. A tight VPC firewall rule (e.g. only tag:web may reach tag:db on tcp:5432, and even then nothing else) limits the blast radius and stops the attacker pivoting to the database or to other subnets. Edge defence stops the way in; the firewall stops the way around. That's defence in depth.

② VPC firewall done right

Let's make the VPC firewall second nature, because most production incidents are a firewall rule that was too broad or in the wrong order. Three facts anchor everything. One: rules have a priority from 0 to 65535lower number wins, and the first matching rule stops the search (first hit, not best fit). Two: firewall rules are stateful — allow the inbound and the return traffic is automatically allowed; you rarely write the reply rule. Three: every VPC ships with two implied rules you can't delete — deny-ingress and allow-egress, both at priority 65535.

That third fact has a sharp edge. Ingress is denied by default — good. But egress is allowed by default. So a freshly compromised VM can, out of the box, phone home to a command-and-control server or exfiltrate data outbound, and no rule stops it. Mature teams therefore add deny-by-default egress: a low-priority deny to 0.0.0.0/0, then narrow allow rules above it for exactly the destinations the workload needs.

Figure 2 — How a VPC firewall evaluates a packet
A VPC firewall checks a packet against rules lowest-priority-number first and stops at the first match; if nothing matches, the implied deny-ingress rule at 65535 drops it A packet enters a Google Cloud VM and is evaluated against VPC firewall rules in priority order, from low priority numbers to high. It first checks a custom allow rule at priority 1000 targeting network tag web; if the connection matches, traffic is allowed and evaluation stops because firewall rules are stateful so the return is auto-allowed. If nothing matches, evaluation falls through to the implied deny-ingress rule at priority 65535, which drops the packet silently. A separate note shows that egress is the opposite: an implied allow-egress rule at priority 65535 permits all outbound unless you add a deny rule for deny-by-default egress. Amber marks decision points, green marks an allowed exit, red marks the implied deny drop. VPC firewall evaluation — lowest priority number wins, first match stops the search packet arrivessrc · proto · port · target Pri 1000 · allow-web-httpssrc 0.0.0.0/0 → target tag:web : tcp 443 → ALLOW match → ALLOWstop · stateful return auto match no match ↓ fall through to next priority number Pri 1100 · allow-db-from-webtag:web → tag:db : tcp 5432 → ALLOW Pri 65535 · implied deny-ingresscannot be deleted · anything unmatched → DROP no match → DROPsilent · no reply Egress is the mirror image: implied ALLOW-egress at 65535 — outbound is open by default.For deny-by-default egress you add a low-priority deny 0.0.0.0/0, then allow only what's needed. Target by tag:web or by service account — NOT by source IP — so the rule follows the workload, not the address untrusted / denytrusted / inspectedpolicy / decisionkey insightallowed
Follow the fall-through: the engine tries rules in priority order (low → high) and stops at the first match. Miss everything and the implied deny-ingress at 65535 drops it. The amber band reminds you egress is the mirror image — open by default.

Now the rule that separates juniors from people who get hired: target by tag or service account, not by source IP. A network tag like web is convenient but it's just a string any editor can stick on a VM. A service account is an IAM-controlled identity — it says what the VM is, and only IAM admins can change it. For production least-privilege, prefer --target-service-accounts. Either way, the rule then follows the workload, not a fragile IP that changes when the VM is recreated.

gcloud — least-privilege rule: only the web tier may reach the db tier on Postgres
gcloud compute firewall-rules create allow-web-to-db \
  --network=prod-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:5432 \
  --source-service-accounts=web-sa@my-proj.iam.gserviceaccount.com \
  --target-service-accounts=db-sa@my-proj.iam.gserviceaccount.com \
  --priority=1100
Expected output
Creating firewall...done.
NAME              NETWORK   DIRECTION  PRIORITY  ALLOW      DENY  DISABLED
allow-web-to-db   prod-vpc  INGRESS    1100      tcp:5432         False
  sourceServiceAccounts: web-sa@my-proj.iam.gserviceaccount.com
  targetServiceAccounts: db-sa@my-proj.iam.gserviceaccount.com
Common mistake — "my allow rule is there but traffic is still blocked"

Symptom: you created an allow tcp:443 rule, the VM still refuses connections. Two classic causes. (1) A higher-priority deny rule (lower number) matches first — remember first hit, not best fit; check with gcloud compute firewall-rules list --sort-by=priority. (2) Your rule's target tag/SA doesn't actually match the VM — the rule exists but applies to nothing. Also: a hierarchical firewall policy at the org or folder level can deny above your project's rules entirely, and you may not even see it from inside the project.

That last point scales up to org-wide guardrails. A hierarchical firewall policy is attached at the organisation or folder level and is evaluated before any project's own rules, so a security team can mandate, say, "deny inbound RDP 3389 from the internet everywhere, no exceptions" across the whole org. There are also global and regional network firewall policies for consistent rule sets within a VPC. Note one gotcha: hierarchical policies can't target by instance network tag — they target VPC networks and service accounts.

🖥️ This is the screen you'll use to spot dead weight — Google Cloud Console → Network Intelligence → Firewall Insights. (Recreated for clarity — your console matches this.)
console.cloud.google.com · Network Intelligence · Firewall Insights
1
Project
flipkart-prod
2
VPC network
prod-vpc
3
Insight type
Unused rules (no hits in 6 weeks)
4
Finding: allow-ssh-all
0.0.0.0/0 → tcp:22 · 0 hits · OVERLY PERMISSIVE
Finding: allow-legacy-8080
shadowed by higher-priority deny · UNUSED
Recommendation
Tighten source to bastion 203.0.113.10/32 or delete
View recommendations
Quick check · Q2 of 10

Aditya at TCS must allow only the app tier to reach the cache tier on TCP 6379, in a way that survives VMs being recreated and can't be loosened by a developer with instance-edit rights. Best targeting?

Correct: c. Service-account targeting ties the rule to an IAM-controlled identity, so it follows the workload across recreations and only IAM admins (not anyone with instance-edit) can change it. A source IP/subnet breaks when IPs change and is coarse; network tags are arbitrary strings an editor can add/remove; opening 6379 to the world and trusting a password is the opposite of least privilege.

Pause & Predict

Predict: your VPC has only an 'allow tcp:443 from 0.0.0.0/0 to tag:web' rule and the two implied rules. A compromised web VM tries to curl a malware host on the internet over port 443 outbound. Does the firewall stop it? Why or why not? Type your guess.

Answer: No — it doesn't. Your one rule is an ingress allow. Outbound is governed by the implied allow-egress rule (priority 65535), which permits all egress because you never restricted it. So the compromised VM can reach the internet freely. The fix is deny-by-default egress: add a low-priority deny to 0.0.0.0/0 on egress, then allow only the specific destinations (e.g. your package mirror, Google APIs) the workload genuinely needs.

③ Cloud Armor — the edge WAF & DDoS layer

Now the front gate. A Cloud Armor security policy is an ordered list of rules — each with a priority, a match condition, and an action — that you attach to a load-balancer backend service. When a request hits the external Application Load Balancer, Cloud Armor evaluates it top-down (again lowest priority number first) and the first matching rule's action wins. At the very bottom sits a default rule at priority 2147483647 — set to allow out of the box, which you typically keep as the catch-all.

The star feature is the preconfigured WAF rules. Instead of hand-writing attack signatures, you reference a named expression. evaluatePreconfiguredExpr('sqli-v33-stable') turns on the whole SQL-injection rule set; evaluatePreconfiguredExpr('xss-v33-stable') the cross-site-scripting set. These are built on the OWASP Core Rule Set and cover most of the OWASP Top 10 — SQLi, XSS, local/remote file inclusion, remote code execution and more.

Each preconfigured rule has a sensitivity level (1-4). Higher sensitivity catches more attacks but raises false positives; lower sensitivity uses only high-confidence signatures. You can also tune a rule to exclude specific OWASP rule IDs that trip on your legitimate traffic (e.g. a field that legitimately contains characters the WAF reads as XSS). The skill here is balance: too tight and you block real customers; too loose and you miss the attack.

👉 So far: a security policy = ordered rules on a backend service, with OWASP preconfigured WAF rules for SQLi/XSS. Next: the other Cloud Armor weapons — rate-limiting, bots, geo and adaptive ML.

Beyond signatures, Cloud Armor brings volumetric and behavioural defences. Rate-limiting gives you two actions: throttle (slow a noisy client down to a request rate) and rate-based-ban (temporarily ban a client that blows past the limit). You can key the limit on source IP, an HTTP header, or a JA4 fingerprint. Bot management can challenge suspected bots, and geo-based rules (origin.region_code == 'IN') and named IP/address lists let you allow or deny whole countries or known-good/bad IP ranges in one place.

The smartest layer is Adaptive Protection — machine learning that watches each backend service for anomalous Layer-7 traffic in real time. When it spots an HTTP flood, it does three things: alerts you, generates a signature describing the attack, and suggests a custom rule you can deploy with one click. This is what stands between you and an L7 DDoS that no static signature would have caught — and Google's edge has used exactly these mechanisms to absorb record floods peaking above 398 million requests/second (the HTTP/2 Rapid Reset class, CVE-2023-44487).

Figure 3 — VPC firewall vs Cloud Armor — pick by the question it answers
Pick the control by the question it answers: VPC firewall for L3-L4 east-west allow/deny on the VPC, Cloud Armor for L7 web attacks and DDoS at the load balancer edge A two-column decision card comparing VPC firewall rules and Cloud Armor. VPC firewall rules are a free stateful Layer 3 to 4 control attached to the VPC network, evaluated by priority, targeting VMs by network tag or service account, ideal for east-west micro-segmentation between subnets and tiers; they have no idea about HTTP content. Cloud Armor is an edge Layer 7 web application firewall and DDoS service attached to the external Application Load Balancer, with OWASP preconfigured rules for SQL injection and cross-site scripting, rate limiting, bot management, geo and IP allow-deny, and machine-learning adaptive protection; it never sees east-west VM-to-VM traffic. Amber marks the decision question at the top of each column; the bottom band states they are layers not rivals. VPC firewall vs Cloud Armor — different layers, different jobs, not rivals VPC firewall rules "who inside can talk to whom?" (east-west) • Layer 3–4: src/dst, protocol, port • attached to the VPC network • stateful · priority 0–65535 • target by tag or service account • implied deny-ingress / allow-egress • free of charge ✗ no HTTP awareness — can't see SQLi/XSS ✗ no DDoS rate-limiting / bot logic Use for: tier-to-tier segmentation, lateral-move containment Cloud Armor "is this web request an attack?" (north-south) • Layer 7: inspects the HTTP request • attached to the external App LB • OWASP preconfig: SQLi, XSS, LFI/RCE • rate-limit · bot mgmt · geo/IP lists • adaptive protection (ML L7 DDoS) • preview mode before enforce · paid ✗ never sees VM-to-VM east-west traffic ✗ needs an external Application LB Use for: public web apps/APIs, DDoS, OWASP Top 10 untrusted / attackertrusted / inspectedpolicy / decisionkey insightallowed
Use the amber question at the top of each column to choose. Left answers 'who inside can talk to whom?' (L3-L4, east-west). Right answers 'is this web request an attack?' (L7, north-south). They stack — you run both.
gcloud — create a policy, turn on the OWASP SQLi rule, then add a rate-limit ban (in PREVIEW first)
# 1) policy + attach to the backend service
gcloud compute security-policies create web-policy --description "edge WAF for checkout"
gcloud compute backend-services update checkout-bes --global --security-policy web-policy

# 2) block SQL injection using the OWASP preconfigured rule (preview, watch logs first)
gcloud compute security-policies rules create 1000 \
  --security-policy web-policy \
  --expression "evaluatePreconfiguredExpr('sqli-v33-stable')" \
  --action deny-403 --preview

# 3) rate-based ban: >100 req/min from one IP gets a 10-min 429
gcloud compute security-policies rules create 1200 \
  --security-policy web-policy --src-ip-ranges "*" \
  --action rate-based-ban --rate-limit-threshold-count 100 \
  --rate-limit-threshold-interval-sec 60 --ban-duration-sec 600 \
  --conform-action allow --exceed-action deny-429 --enforce-on-key IP
Expected output
Created [.../securityPolicies/web-policy].
Updated [.../backendServices/checkout-bes].
Created rule [1000] (preview)  action: deny-403  expr: evaluatePreconfiguredExpr('sqli-v33-stable')
Created rule [1200]            action: rate-based-ban  key: IP  threshold: 100/60s  ban: 600s
Prove the WAF works before you trust it — preview mode + logs

A new WAF rule deployed straight to enforce can block paying customers on day one. So deploy it with --preview first: Cloud Armor evaluates the rule and logs what it would have blocked without actually blocking anything. Watch the request logs (Logging → resource.type=http_load_balancer, field enforcedSecurityPolicy / previewSecurityPolicy) for a few days. If only real attacks would have been blocked, flip it to enforce with rules update 1000 --security-policy web-policy --no-preview. Never enforce a fresh signature blind.

Quick check · Q3 of 10

Priya at PhonePe needs to block obvious SQL-injection attempts to the public API but is terrified of breaking a legitimate field that contains SQL-like text. What's the safe rollout?

Correct: a. Preview mode logs what the rule would block without blocking it, so Priya can confirm only real attacks are caught and exclude any OWASP rule IDs that trip on her legitimate field before enforcing. Enforcing sensitivity 4 blind risks blocking real customers; rate-limiting doesn't catch injection content; and geo-blocking the region would lock out legitimate users.

Pause & Predict

Predict: an attacker launches an HTTP flood that mimics real traffic — valid URLs, varied IPs, no obvious SQLi or XSS. Your preconfigured OWASP rules see nothing wrong. Which Cloud Armor feature is designed for exactly this, and what does it hand you? Type your guess.

Answer: Adaptive Protection. Because the flood carries no static attack signature, the OWASP preconfigured rules stay quiet — but Adaptive Protection's ML model learns each backend service's normal traffic shape and flags the anomaly in real time. It then gives you three things: an alert, a generated signature describing the attack pattern (e.g. a specific user-agent + path combination), and a suggested custom WAF rule you can deploy in one click to block just the malicious slice without touching legitimate users.

④ Putting it together — block an SQLi flood + a bad bot

Time to wire both layers into one defence. The design pattern you'll see on the job: Cloud Armor at the edge for L7 and DDoS on the public Application Load Balancer, and VPC firewall rules inside for east-west segmentation between every tier. Cloud Armor stops the attack arriving; the firewall stops it spreading. Let's walk a real incident through both.

▶ Watch one malicious request hit the stack

A bot from a flagged ASN sends a SQL-injection payload to the Flipkart checkout API, then a flood of lookalike requests. Follow what each layer does. Press Play for the healthy path, then Break it to see the failure.

① Edge / Cloud Armorrequest from 203.0.113.45 → checkout API; Cloud Armor reads the HTTP body
② WAF matchbody matches sqli-v33-stable → action deny-403; request never reaches a VM
③ Rate-limitsame client floods → rate-based-ban on key IP → 10-min 429
④ Inside / VPC firewallhad a web VM been owned, tag:webtag:db is allowed only on tcp:5432 — nothing else
Press Play to step through the healthy path. Then press Break it.

Karthik at ICICI faces this

Karthik, an L2 engineer, gets paged: the public banking portal is slow and the WAF dashboard shows a spike of SQLi-pattern requests plus a flood of near-identical GETs from a handful of ASNs in one region the bank doesn't serve.

Likely cause

Two overlapping attacks: an injection probe (L7 content) and a volumetric bot flood (L7 volume) from a specific geography. A single control won't cleanly handle both — he needs layered Cloud Armor rules, ordered by priority.

Diagnosis

He opens the Cloud Armor policy and confirms the SQLi rule is enforcing (not preview), checks Adaptive Protection alerts for the flood signature, and reads the geo field origin.region_code in the LB logs.

Google Cloud Console → Network Security → Cloud Armor policies → web-policy → Rules / Adaptive Protection
Fix

Keep sqli-v33-stable enforcing (deny-403); add a rate-based-ban keyed on IP for the flood; add a geo deny rule for the non-served region (origin.region_code == 'XX' → deny-403) at a higher priority; deploy Adaptive Protection's suggested signature for the residual.

Verify

LB latency returns to baseline; enforcedSecurityPolicy logs show deny-403 on the SQLi and geo rules and 429s on the rate-banned IPs; legitimate Indian customer traffic is unaffected.

🖥️ This is the form you'll fill to add a rule — Google Cloud Console → Network Security → Cloud Armor policies → web-policy → Add rule. (Recreated for clarity — your console matches this.)
console.cloud.google.com · Network Security · Cloud Armor · web-policy · Add rule
1
Mode
Advanced (CEL expression match)
2
Match — Expression
evaluatePreconfiguredExpr('sqli-v33-stable')
3
Action
Deny
Deny response code
403 (Forbidden)
4
Priority
1000
Preview only (enforce later)
✓ enabled
Add rule
Common mistake — rule ordering and the preview trap

Two gotchas bite everyone once. (1) Ordering: Cloud Armor (and the VPC firewall) is first-match-by-priority — if a broad allow sits at a lower priority number than your deny, the deny never runs. Always put specific deny/ban rules at lower numbers than broad allows. (2) The preview trap: a rule left in --preview looks active on the dashboard but only logs — it blocks nothing. If 'my WAF rule isn't blocking the attack,' check it isn't still in preview before anything else.

Figure 4 — Cloud Armor + VPC firewall — the cheat-sheet
GCP Cloud Armor and VPC firewall on one card — the commands, priorities, OWASP expressions and rate-limit actions you will actually type A nine-tile cheat sheet for Google Cloud network defence. Tiles cover the firewall create command, firewall priority and implied rules, targeting by tag or service account, Firewall Insights for unused rules, the Cloud Armor create and attach commands, the OWASP preconfigured expressions for SQL injection and cross-site scripting, the rate-limit and ban actions, preview mode before enforce, and adaptive protection. Each tile has a one-line role. Cloud Armor + VPC firewall — your one-glance card Create a firewall rulegcloud compute firewall-rules createallow-db --network=prod-vpc--allow=tcp:5432 --source-tags=web--target-tags=db --priority=1100east-west allow, lowest number wins Priority + implied rulesrange 0–65535 · default 1000implied deny-ingress = 65535implied allow-egress = 65535egress open by default — lock it down Target least-privilegetag = arbitrary string (anyone w/ edit)service account = IAM identityprod → prefer --target-service-accountsnever target by source IP alone Firewall Insightsfinds unused / shadowed / over-broadrules + hit-count metricsConsole → Network Intelligencetighten 0.0.0.0/0 SSH rules first Cloud Armor — create + attachgcloud compute security-policies create web-policybackend-services update web-bes --security-policy web-policypolicy binds to a backend service OWASP preconfiguredevaluatePreconfiguredExpr( 'sqli-v33-stable') 'xss-v33-stable'CRS-based · sensitivity 1–4tune to kill false positives Rate-limit + ban--action=throttle (slow them)--action=rate-based-ban (temp ban)key: IP / HTTP-header / JA4also: geo (origin.region_code) Preview, then enforcerules create 1000 … --previewwatch logs for false positivesrules update 1000 --no-previewnever enforce a new rule blind Adaptive ProtectionML watches each backend servicealerts on anomaly + suggests a ruledefault Cloud Armor rule pri2147483647 (allow)
Your one-card map: the firewall commands, priorities and implied rules on top; the Cloud Armor policy, OWASP expressions, rate-limit actions, preview flow and adaptive protection below. Keep it open in your first week and before any GCP network interview.

For your certification path, this lesson lands squarely on the Professional Cloud Security Engineer blueprint — specifically the "configure network security" domain (roughly 20-25% of the exam), which calls out VPC firewall rules, Cloud Armor, DDoS protection and configuring web application firewalls by name. A favourite exam (and interview) trap is exactly the myth we opened with: knowing that Cloud Armor is L7-at-the-edge and the VPC firewall is L3-L4-east-west, and that you need both, answers a surprising share of the network-security questions outright.

Prove you own this lesson

Cold, in 30 seconds: where does each control attach (Cloud Armor → external Application LB backend service; VPC firewall → the VPC network); the default posture (ingress denied, egress allowed via implied rules at 65535); how to target least-privilege (by service account, not IP); the two rate-limit actions (throttle, rate-based-ban); and why you always preview before enforce. If you can say all five without notes, you're ready for the next lesson and the network-security exam domain.

Related: GCP Security Command Center
Quick check · Q4 of 10

An interviewer asks Meera: "Walk me through defending a public GCP web app against both a SQL-injection campaign and an HTTP flood, while containing a possible breach." Which answer is strongest?

Correct: d. It layers the right control at each layer: Cloud Armor (L7 edge) handles the injection and flood with preview-then-enforce and ML adaptive protection, while VPC firewall rules (L3-L4, service-account targeted) contain east-west movement if a VM is breached. Public IPs on every VM is the opposite of safe; skipping firewall rules leaves no east-west containment; allow-listing every customer IP is unworkable for a public app.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from GCP docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In Google Cloud, which control is an edge Layer-7 web application firewall and DDoS service attached to the external Application Load Balancer?

Correct: c. Cloud Armor is the L7 WAF + DDoS service that attaches to an external Application Load Balancer backend service. VPC firewall rules and hierarchical firewall policies are L3-L4 controls on the network; Firewall Insights is an analysis tool, not an enforcement control.
Q6 · Apply

An Airtel team needs only the web tier to reach the database tier on TCP 5432, in a rule that can't be loosened by a developer with instance-edit permission. How should they target the rule?

Correct: a. Service-account targeting ties the rule to an IAM-controlled identity that instance editors can't change, making it the strongest least-privilege option. Network tags are arbitrary strings any editor can add/remove; a source IP range is fragile and coarse; opening 5432 to the world is the opposite of least privilege.
Q7 · Apply

You add a new Cloud Armor rule to block SQL injection but you're worried about blocking a legitimate field. Which approach lets you confirm the impact before any real traffic is blocked?

Correct: b. Preview mode evaluates and logs what the rule would block without actually blocking it, so you can spot false positives in the previewSecurityPolicy log field before enforcing. Enforcing immediately risks blocking customers; deleting the default rule changes catch-all behaviour, not test safety; changing priority doesn't make the rule non-enforcing.
Q8 · Analyze

A VM has an explicit 'allow tcp:443 ingress to tag:web' rule at priority 1000, but connections on 443 are still refused. Certificates and the app are fine. What's the most likely cause?

Correct: d. First-hit-by-priority means a lower-number deny (in the VPC or in a hierarchical policy evaluated first) overrides your allow, and a rule whose target tag doesn't actually match the VM applies to nothing. Egress is allowed by default so replies return fine; Cloud Armor only applies to LB-fronted L7 traffic; and VPC firewall rules are stateful, so no return rule is needed.
Q9 · Analyze

An HTTP flood mimics legitimate traffic — valid URLs, rotating IPs, no SQLi/XSS signatures — so the OWASP preconfigured rules don't fire. Which Cloud Armor capability is purpose-built to catch this, and what does it provide?

Correct: b. Adaptive Protection's ML learns each backend service's normal traffic and flags anomalous L7 floods that carry no static signature, then alerts and suggests a tailored mitigation rule. A blanket geo-deny would block real users; the implied deny-ingress is an L3-L4 firewall rule unrelated to L7 floods; and raising WAF sensitivity only affects signature rules, which this flood evades.
Q10 · Evaluate

Two designs for a public GCP banking app: (A) "Cloud Armor with OWASP rules on the LB — that's our whole network security; every VM has a public IP and tight ports." (B) "Cloud Armor at the edge (OWASP + rate-limit + adaptive, preview→enforce), VMs private behind the LB, and VPC firewall rules targeting service accounts for east-west segmentation." Which is stronger and why?

Correct: a. B is defence in depth: Cloud Armor handles north-south L7 attacks and DDoS with safe rollout, private VMs remove direct internet exposure, and service-account-targeted firewall rules contain east-west lateral movement if a host is breached. A leaves every VM exposed and has no east-west containment; public IPs increase attack surface; and the two designs clearly do not block the same traffic.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: In one line, why does a Cloud Armor policy on your load balancer not remove the need for VPC firewall rules between your tiers? Then compare to the expert version.

Expert version: Because Cloud Armor inspects only north-south L7 HTTP at the load-balancer edge, while VPC firewall rules govern east-west VM-to-VM traffic that never returns to the edge — so without firewall rules, a compromised web VM can pivot freely to the database tier that Cloud Armor never sees.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

VPC firewall rule
Stateful L3-L4 rule attached to a VPC network; allows/denies traffic to target VMs by priority, protocol, port and source.
Cloud Armor
Google's edge WAF + DDoS service. A security policy attaches to an external Application Load Balancer backend service and inspects L7 HTTP.
Priority
Integer 0-65535 on a firewall rule; lower number wins and the first matching rule stops the search (first hit, not best fit). Default is 1000.
Implied rules
Two undeletable VPC rules at priority 65535: deny-ingress (block inbound unless allowed) and allow-egress (permit all outbound unless denied).
Network tag
Arbitrary string label on a VM used to target firewall rules. Convenient but any instance-editor can change it — weaker for security.
Target service account
The IAM identity a VM runs as, used to target firewall rules. Controlled by IAM, so it's the stronger least-privilege target.
Hierarchical firewall policy
Firewall policy at the org or folder level, evaluated before per-project VPC rules — central guardrails projects can't override. Targets networks/SAs, not tags.
Security policy
A named Cloud Armor policy — an ordered list of allow/deny/throttle rules with a default rule at priority 2147483647 (allow).
Preconfigured WAF rule
Ready-made Cloud Armor rule based on the OWASP CRS, enabled via an expression like evaluatePreconfiguredExpr('sqli-v33-stable').
Rate-based ban
Cloud Armor action that temporarily bans a client (by IP/header/JA4) once it exceeds a request-rate threshold; throttle just slows it.
Adaptive Protection
Cloud Armor ML that detects anomalous L7 traffic per backend service, alerts, and suggests a custom WAF rule to block an L7 DDoS.
Preview mode
Deploys a Cloud Armor rule that is evaluated and logged but not enforced — so you can spot false positives before blocking real traffic.

📚 Sources

  1. Google Cloud — "VPC firewall rules overview" (priority 0-65535 lowest-number-wins, stateful rules, implied deny-ingress + allow-egress at 65535, default-network rules default-allow-ssh/rdp/icmp/internal, targeting by network tag vs service account). cloud.google.com/firewall/docs/firewalls
  2. Google Cloud — "Create and manage security policies" + "Cloud Armor preconfigured WAF rules overview" (gcloud compute security-policies create/rules create, --action allow|deny-403/404/502|throttle|rate-based-ban, --preview, attach via backend-services update --security-policy, default rule priority 2147483647, evaluatePreconfiguredExpr('sqli-v33-stable')/'xss-v33-stable', OWASP CRS sensitivity 1-4). cloud.google.com/armor/docs/configure-security-policies · cloud.google.com/armor/docs/waf-rules
  3. Google Cloud Community / r/googlecloud — practitioner threads on 'firewall rule not working' (first-hit priority, target tag/SA mismatch, hierarchical policy denying above the project) and Cloud Armor preview-vs-enforce confusion. cloud.google.com/firewall/docs/using-firewalls · reddit.com/r/googlecloud
  4. Google Cloud Blog — "Google Cloud mitigated largest DDoS attack, peaking above 398 million rps" (HTTP/2 Rapid Reset, CVE-2023-44487; Cloud Armor always-on L7 DDoS + Adaptive Protection) and Cloud Armor release notes: hierarchical security policies GA (Oct 2025), JA4 rate-limiting key GA (June 2025). cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps · cloud.google.com/armor/docs/release-notes
  5. Google Cloud — "Google Cloud Armor Adaptive Protection overview" (ML per-backend-service L7 DDoS detection, alert + generated signature + suggested custom rule). cloud.google.com/armor/docs/adaptive-protection-overview
  6. Google Professional Cloud Security Engineer — certification exam guide, 'Configure network security' domain (VPC design, firewall rules, Cloud Armor, DDoS protection, web application firewalls). cloud.google.com/learn/certification/guides/cloud-security-engineer

What's next?

You've layered the network controls — but a too-broad firewall rule or an unenforced WAF rule is exactly the kind of misconfiguration you'd rather have flagged for you. Next we shift from configuring devices to automating fleets of them: how Ansible drives network changes repeatably, so your guardrails are code, not clicks.

Next · Ansible for Network Automation: Getting Started → Practice on exam.techclick.in →