Google Cloud Armor Integration
Security policy metrics, rule match rates, and adaptive protection events for Cloud Armor. Monitor WAF effectiveness, detect DDoS patterns, and correlate security events with app health.
How It Works
Create a GCP Service Account
Create a service account with the Monitoring Viewer and Compute Security Admin Viewer roles. TigerOps uses these to collect Cloud Armor policy metrics and rule evaluation data.
Enable Cloud Monitoring API
Enable the Cloud Monitoring API and Compute Engine API in your GCP project. Cloud Armor metrics are surfaced through the loadbalancing.googleapis.com metric namespace in Cloud Monitoring.
Configure TigerOps Cloud Armor
Add your project credentials to TigerOps and select the security policies to monitor. TigerOps discovers all Cloud Armor policies and associated load balancer backends automatically.
Set Security and Attack Alerts
Configure rule match rate thresholds, block rate alerts, and adaptive protection event notifications. TigerOps correlates security events with traffic patterns and application error rates.
What You Get Out of the Box
Security Policy Rule Match Rates
Track allow, deny, redirect, and throttle rule match counts per Cloud Armor security policy. TigerOps identifies which rules are triggering most frequently and surfaces emerging attack patterns.
Block Rate Monitoring
Monitor blocked request rates per policy and rule. TigerOps distinguishes between pre-configured rule blocks and adaptive protection blocks, helping you understand your threat landscape in real time.
Adaptive Protection Events
Track Cloud Armor Adaptive Protection threat analysis events and suggested rule deployments. TigerOps alerts when Adaptive Protection detects a potential DDoS attack and logs the suggested mitigation rules.
Request Rate Anomaly Detection
TigerOps AI models your normal traffic patterns and alerts when request rates deviate significantly — indicating a potential volumetric attack, scraping campaign, or credential stuffing attempt.
WAF Rule Effectiveness
Monitor OWASP Top 10 preconfigured WAF rule match rates. TigerOps tracks which attack categories (SQLi, XSS, RCE, etc.) are being blocked and identifies rules with high false-positive rates.
Geographic Traffic Distribution
Visualize request distribution by country and region alongside Cloud Armor geo-blocking rules. TigerOps surfaces unexpected traffic origins and helps you tune geographic deny rules to reduce attack surface.
Cloud Armor Integration Setup
Configure TigerOps to monitor your Cloud Armor security policies and adaptive protection events.
# TigerOps Google Cloud Armor Integration
# Required IAM roles:
# roles/monitoring.viewer
# roles/compute.networkViewer
integrations:
gcp_cloud_armor:
project_id: "your-gcp-project-id"
credentials_file: "./tigerops-sa-key.json"
# Security policies to monitor (empty = all policies)
security_policies:
- prod-api-waf-policy
- prod-web-waf-policy
scrape_interval: 60s
metrics:
- networksecurity.googleapis.com/https/request_count
- networksecurity.googleapis.com/https/blocked_request_count
- networksecurity.googleapis.com/https/redirect_request_count
- networksecurity.googleapis.com/https/throttled_request_count
- networksecurity.googleapis.com/adaptive_protection/event_count
alerts:
block_rate_per_second: 1000
adaptive_protection_event: true
waf_false_positive_rate_percent: 0.1
request_spike_multiplier: 5.0
geo_block_rate_per_country_percent: 90Common Questions
What IAM permissions does TigerOps need to monitor Cloud Armor?
TigerOps requires the roles/monitoring.viewer role to access Cloud Armor metrics via the Cloud Monitoring API. The roles/compute.securityAdmin role is needed only if you want TigerOps to read security policy configurations for context. No write permissions are required.
How does TigerOps surface Cloud Armor Adaptive Protection events?
TigerOps monitors the network_security.googleapis.com/cloud_armor metrics namespace and integrates with Cloud Logging to capture Adaptive Protection threat analysis logs. When Adaptive Protection fires an event, TigerOps creates an incident with the attack details and suggested rule.
Can TigerOps alert when a Cloud Armor rule is blocking legitimate traffic?
Yes. TigerOps can be configured to alert when block rates for specific rules exceed a threshold that suggests false positives. By correlating block rate spikes with application error rate increases and monitoring rule match counts, TigerOps helps identify overly aggressive WAF rules.
Does TigerOps support Cloud Armor Enterprise tier features?
Yes. TigerOps monitors Cloud Armor Enterprise features including named IP lists, advanced rate limiting, bot management events, and DDoS attack telemetry. Enterprise-tier metrics are collected via the same Cloud Monitoring API integration.
How does TigerOps correlate Cloud Armor blocks with application health?
TigerOps links Cloud Armor block events with backend service metrics from GCLB and application-level error rates from Cloud Monitoring. During a DDoS event, TigerOps shows you the block rate, the volume of requests reaching your backend, and the impact on your application response times in a single view.
See Every Attack Cloud Armor Stops — and Everything That Slips Through
WAF rule monitoring, adaptive protection alerts, and DDoS impact correlation for Cloud Armor. Connect in minutes.