○ Isolate and secure your deployment using subnetworks and networks,
firewall rules, tags and Identity and Access Management (IAM).
○ Open access to ports and protocols that you need using firewall rules
and/or protocol forwarding.
○ GCP provides anti-spoofing protection for the private network (IP
addresses) by default.
○ GCP automatically provides isolation between virtual networks.
● Isolate your internal traffic from the external world
○ Deploy instances without public IPs unless necessary.
○ You can set up a NAT gateway or SSH bastion to limit the number of
instances that are exposed to the internet.
○ Once available, deploy Internal Load Balancing for your internal client
instances accessing internally deployed services thereby avoiding
exposure to the external world. [Internal LB expected to be available in the
second half of 2016.]
● DDoS Protection by enabling Proxy-based Load Balancing
○ When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing,
Google infrastructure mitigates and absorbs many Layer 4 and below
attacks, such as SYN floods, IP fragment floods, port exhaustion, etc.
○ If you have HTTP(S) Load Balancing with instances in multiple regions,
you are able to disperse your attack across instances around the globe.
● Scale to absorb the attack
○ Protection by Google Frontend infrastructure
With Google Cloud Global Load Balancing, the frontend infrastructure
which terminates user traffic, automatically scales to absorb certain types
of attacks (e.g., SYN floods) before they reach your compute instances.
○ Anycast-based Load Balancing: HTTP(S) Load Balancing and SSL proxy
enable a single anycast IP to front-end your deployed backend instances
in all regions. Normally your user traffic is directed to the closest backend
with capacity; in the event of a DDoS attack, the additional advantage of
this approach is that it increases the surface area to absorb this attack by
moving traffic to instances with available capacity in any region where
backends are deployed.
○ Autoscaling: When you configure HTTP(S)or SSL Proxy Load Balancing,
Google frontend infrastructure that terminates your user traffic protects
your backends. You should also provision sufficient number of instances
2