Faster web performance and improved web protection for load balancing

This tutorial outlines the value of adding Cloud CDN and Google Cloud Armorto an existing external Application Load Balancer deployment. It includes basic instructions forenabling both Cloud CDN and Cloud Armor with anexternal Application Load Balancer.

Note: If you are using Cloud Armor with Cloud CDN, securitypolicies are enforced only for requests for dynamic content, cache misses, orother requests that are destined for your origin server. Security policies donot apply to cache hits, even if the connecting client would otherwise match arule in the policy.

Improving web performance with Cloud CDN

Using the external Application Load Balancer already improves web performance bysetting up HTTP(S) connections on Google's global edge closer to therequesting client and by negotiating connections using modern protocols such asQUIC, HTTP/2, andTLS1.3to reduce the number of round trips and enhance throughput. Further, by usingpersistent connections to your origin, Google Cloud reduces the overheadof each client connection. Google's edge locations are connected to our globalprivate backbone network, which allows Google Cloud to optimize routingand reduce latency between the client, Google's edge, and your backends. You canfurther improve performance and reduce your serving costs by enablingCloud CDN as part of your external Application Load Balancer deployment.

What is Cloud CDN?

Cloud CDN (Content Delivery Network) uses Google's globally distributededge points of presence to cache copies of load balanced content close to yourusers.

How Cloud CDN can improve web performance

There are multiple ways that Cloud CDN improves performance.

Offloads and scales your backend infrastructure by reducing requests

A request served from the Cloud CDN cache means that the load balancerdoesn't need to send the requestto backend infrastructure for a static element such as an image, video,JavaScript, or stylesheet. This not only reduces load during normal operation butallows Google edge infrastructure to absorb spikes in requests withoutincreasing the load on your backend serving infrastructure. This ensures backendinfrastructure is focused on generating user-specific responses such as dynamicHTML for interactive web experiences.

Serves static assets from the edge

Because Google's global edge sends cached requests, theresponse times to client requests can be reduced. Static elements of your webexperience such as images, videos, JavaScript, and stylesheets can be deliveredright away without needing to forward the request to the backend systems andwait for a response and data transfer.

Reduces your data transfer and backend infrastructure costs

By using Cloud CDN with your external Application Load Balancer, you reduce yourbackend infrastructure costs due to reduced traffic to the backend.Additionally, you can reduce the number of cycles to deliver static contentbecause it is sent from the Google edge. Cloud CDN traffic is billed atalower data transfer cost, further controlling costs.

Enabling Cloud CDN for your external Application Load Balancer

You can enable Cloud CDN for an existing external Application Load Balancer or whensetting up a new load balancer.

Enabling Cloud CDN during external Application Load Balancer setup

During backend configuration, select theEnable Cloud CDN checkbox. Fordetails, see theCloud CDN how-to guides.

Enabling Cloud CDN for an existing external Application Load Balancer

In an existing external Application Load Balancer configuration, in theLoad Balancer detailsscreen, you can clickEdit tomodify your load balancer.

Then, in theBackend Configuration section, you can select theEnable Cloud CDN checkbox. For detailed instructions, includinggcloud commands, see theCloud CDN how-toguides.

Improving web protection with Cloud Armor

Using the external Application Load Balancer already provides a measure of web protection bysetting up HTTP(S) connections on Google's global edge, offloading your backendinfrastructure from needing to handle this process. By enablingCloud Armor as part of your external Application Load Balancer you have increasedvisibility and control against infrastructure and application attacks.

Note: You can use Cloud Armor with Cloud CDN to protect theCDN origin servers. Cloud Armor ensures that the CDN origin server isprotected from application attacks, mitigates OWASP Top 10 risks, andenforces Layer 7 filtering policies. Cloud Armor enforces securitypolicies for backend services with Cloud CDN enabledonly forcache misses; that is, for requests that miss or bypass the Cloud CDNcache.

What is Cloud Armor?

Cloud Armor provides DDoS and application layer defense working inconjunction with external Application Load Balancers. It provides visibility into attacks andallows you to deploy pre-configured and custom rules to mitigate attacks againstyour web applications and services. Like the external Application Load Balancer,Cloud Armor is delivered at the edge of Google's network, helping todefend against infrastructure and application attacks close to their source.

How Cloud Armor can improve web protection

There are multiple ways that Cloud Armor improves protection.

Automatically blocks most volumetric DDoS attacks

Cloud Armor works with the external Application Load Balancer to automatically blocknetwork protocol and volumetric DDoS attacks such as protocol floods (SYN, TCP,HTTP, and ICMP) and amplification attacks (NTP, UDP, DNS). Cloud Armoris based on technologies developed originally to defend Google's own webservices such as search, gmail, and maps.

Has pre-configured WAF rules to help detect and mitigate common application attacks

Cloud Armor provides a library of pre-configured web applicationfirewall (WAF) rules that help detect and optionally help mitigate common webattacks such as SQL injection, cross-site scripting, and command injectionattacks against your web infrastructure.

Detects and blocks by geographical source and IP addresses or IP ranges

Cloud Armor leverages Google's Geo-IP database to identify thegeographical region of incoming requests destined for your web infrastructureand allows you to block traffic based on two-character country codes. Forexample, an online commerce site that does not ship outside of a given countrycan block requests from common sources of attack traffic. Additionally,Cloud Armor allows quick blocking of specific IP addresses or ranges ofIP addresses making malicious requests.

Provides visibility to monitor and mitigate application layer HTTP(S) attacks

Cloud Armor also provides a custom-rules language that lets you matchcomplex patterns from incoming requests using a wide varietyof HTTP(S) semantics. This includes headers, cookies, URLs, query stringelements, user agent patterns, and HTTP methods.

Enabling Cloud Armor for your external Application Load Balancer

Security policies drive Cloud Armor configuration. These policiesenable built-in rules and support custom rules for protection. To deployCloud Armor, you must create a security policy, add rules, and thenattach this policy to one or more external Application Load Balancer backend services.Each rule specifies the parameters to detect in traffic, the action totake if the traffic matches these parameters, and a priority value thatdetermines the position of the rule in the policy hierarchy.

Creating a Cloud Armor security policy

At a high level, these are the steps for configuring Cloud Armorsecurity policies to enable rules that allow or deny traffic toexternal Application Load Balancer.

  1. Create a Cloud Armor security policy in the Network Security -Cloud Armor screen.
  2. Add rules to the policy based on IP lists, custom expressions, orpre-configured WAF rules such as SQL injection or Cross-site scripting.
  3. Attach the Cloud Armor security policy to a backend service ofthe external Application Load Balancer for which you want to control access.
  4. Update the Cloud Armor security policy as needed.

For the detailed instructions, see theCloud Armor how-to guides.

Next steps

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.