There are a lot of steps to successfully expose your API to the internet. However, once you have done it, you can reuse the same steps for any other API you create. The steps are also very similar to the steps you would take to expose an API to the internet using a traditional serverless platform such as AWS Lambda.
This is a useful test; you may notice that the response time, especially the minimum time, is slower than going to the Cloud Run service directly due to the additional network hops required to access the service. However, the response time is still good, and the benefits of using a custom domain name and SSL certificate are worth the additional latency. You will also see in later chapters how using the load balancer opens up more features.
Enhancing Defenses with Cloud Armor
While Google’s Global Load Balancer inherently offers a level of protection against DDoS attacks, you can strengthen your defenses further by integrating Google Cloud Armor with HTTP(S) Load Balancing. Cloud Armor allows you to establish IP allow/deny lists and create rules based on Layer 7 parameters, significantly enhancing the protection of your application.
For instance, if a DDoS attack originates from a specific IP address or range of address, Cloud Armor policies enable you to block the attacker(s) right at the network’s edge, preventing the attack from reaching your application.
Extending Cloud Armor Further
Though it’s a step toward securing against DDoS attacks at a reasonable cost, Cloud Armor also offers a premium service known as Google Cloud Armor Managed Protection Plus.
This service provides threat intelligence features, like automatically blocking a managed list of known malicious IP addresses and Adaptive Protection, which uses AI models to detect and block DDoS attacks. While this solution costs several thousand dollars monthly and necessitates a minimum commitment of one year, it is an example of a significant enhancement in application security that is available.
How Much Will This Solution Cost?
There are several charges associated with this solution. The main ones are:
- Forwarding rule for the Load Balancer. This will cost $0.025 per hour, which adds up to $18.00 per month.
- Data processed by the Load Balancer. This will cost $0.01 per GB.
- Cloud Armor policy with two rules enforcing a rate limit will cost $7 per month.
Adding these features is not free, but it is still very reasonable.
Summary
You have created a citadel with strong walls to protect the application using a Global Load Balancer with the default protection it provides and specific protection with Cloud Armor to protect against attack. As you can see, managing the system is becoming more complex as you add more layers. It is not trivial to set up everything or to tear everything down, and debugging any problems will get difficult quickly.
In this chapter, you used the following services directly:
- Global HTTP Load Balancer is used to route requests to the API Gateway from a domain name and provide an encrypted connection.
- Identity Platform is used to authenticate users using their Google account.
- Cloud Armor is used to protect the application from outside attacks and rate-limit individual IP addresses.
In the following chapters, you will look at how you can address the complexity you now have by automating the deployment further, providing observability and making the system more suitable for production.
