Cyber Intelligence
Security, Operations, and Governance · Trust and security

L14. Network Security: Cloud Armor, VPC Service Controls, and Private Service Connect

Video generating

Check back soon for the video lesson on Network Security: Cloud Armor, VPC Service Controls, and Private Service Connect

Google Cloud provides layered network security for VPC resources and APIs. The Digital Leader exam tests Cloud Armor WAF, VPC Service Controls, Private Service Connect, and Cloud IDS.

Cloud Armor

Cloud Armor is Google Cloud's WAF (Web Application Firewall) and DDoS protection service for applications behind Cloud Load Balancing. Protects against:

  • Layer 7 attacks: SQL injection, XSS, OWASP Top 10
  • DDoS attacks: volumetric, protocol, and application-layer
  • Bad bots and automated threats
  • Geo-based access control (block or allow traffic by country)
Pre-configured WAF rules: Google maintains curated OWASP rule sets you can enable with one click. Adaptive protection: machine learning-based detection of unusual traffic patterns; can automatically suggest or apply blocking rules.

VPC Service Controls

VPC Service Controls create a security perimeter around Google Cloud APIs and services to prevent data exfiltration. Problem solved: IAM controls who can access a resource, but it doesn't prevent data from being copied to an unauthorized project or location. VPC Service Controls adds a perimeter. How it works: you define a service perimeter around projects; requests from outside the perimeter (even authenticated) to protected services (BigQuery, Cloud Storage) are denied. Use for: preventing data exfiltration by insiders or compromised credentials; meeting compliance requirements for data isolation.

Private Service Connect (PSC)

Private Service Connect enables private connectivity between VPCs and Google-managed services or services hosted in other VPCs, without traffic traversing the public internet. Use cases:

  • Privately access Google APIs (BigQuery, Cloud Storage) from on-premises via Private Service Connect
  • Share services between VPCs without exposing them publicly
  • Connect to third-party services privately

Cloud IDS (Intrusion Detection System)

Cloud IDS is a managed network-based intrusion detection service powered by Palo Alto Networks threat intelligence. Detects: malware, spyware, command-and-control traffic, network attacks. Note: Cloud IDS detects but does not block; it logs threats for investigation.

Firewall Rules and Hierarchical Firewalls

VPC Firewall Rules: stateful rules applied to VM instances using network tags or service accounts; created within a VPC. Hierarchical Firewall Policies: organization- or folder-level firewall rules that apply to all VPCs within scope; cannot be overridden by lower-level VPC rules. Cloud Next-Generation Firewall: layer 7 inspection with threat intelligence, URL filtering, and TLS inspection.
ServiceProtection
Cloud ArmorLayer 7 WAF + DDoS protection
VPC Service ControlsAPI perimeter to prevent data exfiltration
Private Service ConnectPrivate access to Google APIs and services
Cloud IDSNetwork intrusion detection
Hierarchical Firewall PoliciesOrganization-wide firewall enforcement
Exam tip: Cloud Armor = WAF against application attacks. VPC Service Controls = data exfiltration prevention perimeter. Private Service Connect = private API access without internet.

Exam Focus Points
  • Cloud Armor is Google Cloud's WAF and DDoS protection for applications behind Cloud Load Balancing
  • VPC Service Controls create a security perimeter around Google Cloud APIs to prevent data exfiltration
  • VPC Service Controls restrict access to Google APIs by network perimeter, not just IAM identity
  • Private Service Connect enables private connectivity to Google APIs and other services without using public internet
  • Cloud IDS provides managed network intrusion detection using Palo Alto Networks threat intelligence
Knowledge Check

1. A company wants to protect their web application from SQL injection attacks and OWASP Top 10 threats while also absorbing DDoS attacks. Which Google Cloud service should they use?

2. An organization is concerned that compromised credentials could be used to exfiltrate data from BigQuery to an unauthorized project. Which service creates a network-level perimeter to prevent this?

Recommended: Pluralsight

Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.

Start Digital Leader prep free10-day free trial available