hands-on lab

Securing Your Applications with Google Cloud Armor and Firewall Rules

Up to 45m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


Google Cloud Armor provides application-level protection from common front-end threats such as distributed denial-of-service (DDoS) attacks, cross-site scripting, and SQL injections. Google Cloud Armor security policies are applied on HTTP(S) load balancers at the Google Cloud edge, which means it's evaluating potential threats, closer to the traffic source. 

Google VPC Firewall Rules are applied at the network layer of your application and are meant to protect your VM instances within a specific network. 

Both of these safeguards apply rules that either allow or deny incoming traffic. A key difference between the two is the level at which they evaluate the traffic. 

In this lab, you will configure a Google VPC Firewall Rule and a Google Cloud Armor security policy. Both security measures will be configured to protect an application made up of a Google Compute Engine Instance Group that is served traffic from an HTTP(S) Load Balancer.

Learning Objectives

Upon completion of this lab you will be able to:

  • Identify key differences between Google Cloud Armor and Google Firewall Rules
  • Secure your applications by allowing only Trusted IPs/Ranges with Firewall Rules
  • Protect your applications from common threats like DDoS with Google Cloud Armor

Intended Audience

This lab is intended for:

  • Software Developers
  • Network Engineers
  • Security Engineers


Familiarity with the following will be beneficial but is not required:

  • A basic understanding of Google Cloud Platform Networking


March 25th, 2024 - Updated instructions and screenshots to reflect the latest UI

October 15th, 2023 - Updated instructions and screenshots to reflect the latest UI

July 6th, 2022 - Updated lab step regarding load balancer creation to address health check issue

Environment before

Environment after

About the author

Jun Fritz, opens in a new tab
Cloud Labs Developer
Learning paths

Jun is a Cloud Labs Developer with previous experience as a Software Engineer and Cloud Developer. He holds the AWS Certified Solutions Architect and DevOps Engineer Professional certifications. He also holds the AWS Certified Solutions Architect, Developer, and SysOps Administrator Associate certifications. 

Jun is focused on giving back to the growing cloud community by sharing his knowledge and experience with students and creating engaging content. 

Covered topics

Lab steps

Signing In to the Google Cloud Console
Configuring an HTTP(s) Load Balancer
Creating a VPC Firewall Rule and Testing the IP Access
Creating a Cloud Armor Security Policy and Testing the IP Access