L14. Network Security: Cloud Armor, VPC Service Controls, and Private Service Connect
Video generating
Check back soon for the video lesson on Network Security: Cloud Armor, VPC Service Controls, and Private Service Connect
Google Cloud provides layered network security for VPC resources and APIs. The Digital Leader exam tests Cloud Armor WAF, VPC Service Controls, Private Service Connect, and Cloud IDS.
Cloud Armor
Cloud Armor is Google Cloud's WAF (Web Application Firewall) and DDoS protection service for applications behind Cloud Load Balancing. Protects against:
- Layer 7 attacks: SQL injection, XSS, OWASP Top 10
- DDoS attacks: volumetric, protocol, and application-layer
- Bad bots and automated threats
- Geo-based access control (block or allow traffic by country)
VPC Service Controls
VPC Service Controls create a security perimeter around Google Cloud APIs and services to prevent data exfiltration. Problem solved: IAM controls who can access a resource, but it doesn't prevent data from being copied to an unauthorized project or location. VPC Service Controls adds a perimeter. How it works: you define a service perimeter around projects; requests from outside the perimeter (even authenticated) to protected services (BigQuery, Cloud Storage) are denied. Use for: preventing data exfiltration by insiders or compromised credentials; meeting compliance requirements for data isolation.
Private Service Connect (PSC)
Private Service Connect enables private connectivity between VPCs and Google-managed services or services hosted in other VPCs, without traffic traversing the public internet. Use cases:
- Privately access Google APIs (BigQuery, Cloud Storage) from on-premises via Private Service Connect
- Share services between VPCs without exposing them publicly
- Connect to third-party services privately
Cloud IDS (Intrusion Detection System)
Cloud IDS is a managed network-based intrusion detection service powered by Palo Alto Networks threat intelligence. Detects: malware, spyware, command-and-control traffic, network attacks. Note: Cloud IDS detects but does not block; it logs threats for investigation.
Firewall Rules and Hierarchical Firewalls
VPC Firewall Rules: stateful rules applied to VM instances using network tags or service accounts; created within a VPC. Hierarchical Firewall Policies: organization- or folder-level firewall rules that apply to all VPCs within scope; cannot be overridden by lower-level VPC rules. Cloud Next-Generation Firewall: layer 7 inspection with threat intelligence, URL filtering, and TLS inspection.| Service | Protection |
|---|---|
| Cloud Armor | Layer 7 WAF + DDoS protection |
| VPC Service Controls | API perimeter to prevent data exfiltration |
| Private Service Connect | Private access to Google APIs and services |
| Cloud IDS | Network intrusion detection |
| Hierarchical Firewall Policies | Organization-wide firewall enforcement |
- ✓Cloud Armor is Google Cloud's WAF and DDoS protection for applications behind Cloud Load Balancing
- ✓VPC Service Controls create a security perimeter around Google Cloud APIs to prevent data exfiltration
- ✓VPC Service Controls restrict access to Google APIs by network perimeter, not just IAM identity
- ✓Private Service Connect enables private connectivity to Google APIs and other services without using public internet
- ✓Cloud IDS provides managed network intrusion detection using Palo Alto Networks threat intelligence
1. A company wants to protect their web application from SQL injection attacks and OWASP Top 10 threats while also absorbing DDoS attacks. Which Google Cloud service should they use?
2. An organization is concerned that compromised credentials could be used to exfiltrate data from BigQuery to an unauthorized project. Which service creates a network-level perimeter to prevent this?
Recommended: Pluralsight
Reinforce these lessons with Pluralsight's Google Cloud paths: structured video courses, GCP console labs, and practice exams for the Digital Leader certification.