Cover image is taken from unsplash
Google Cloud Armor is a service that help to protect infrastructure and applications from Layer 3/Layer 4 network or protocol-based volumetric distributed denial-of-service (DDoS) attacks, volumetric Layer 7 attacks, and other targeted application attacks.
Assuming you have a Traefik Proxy running and wanted to enable protection with Cloud Armor, here are some of the ways that can configure with. If you haven't install Traefik Proxy, may checkout my previous post or official docs
In order to use Cloud Armor, the traffic must serve from Cloud Load Balancing
All projects that include HTTP(S) Load Balancing, TCP Proxy Load Balancing, or SSL Proxy Load Balancing are automatically enrolled in Google Cloud Armor Standard. Learn more about managed protection
It will show the protection plan on the Cloud console if you have Load Balancing configured
The following approaches only show configuration with Cloud Armor. Configuration with TLS, reserved IP and domain binding for production setup are not shown here
If Traefik Proxy is installed in GKE
This approach is inspired from community post
The network flow would be something like this
The Ingress configuration would look like this
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
annotations:
# required here because we have two ingress controller installed
kubernetes.io/ingress.class: gce
spec:
defaultBackend:
service:
name: traefik
port:
number: 80
Using port
80
here because traefik expose port 80 within cluster
If Traefik Proxy is installed elsewhere
If Trafix Proxy is installed elsewhere (other clouds, VM or own server), Cloud Armor can be configure with Internet network endpoint also known as custom origins.
The network flow would be something like this
Simple benchmark
Notice that there are extra layer of network forwarding with approaches stated above, let's find out it will cause how many percentage of performance drop
To make comparison, I deploy a hello world Go http server, and test against it.
Source code is available at cncf-demo/traefik-cloud-armor
Cloud Armor with one policy (xss protection) is enabled
Note that I am running the test on local terminal, so the factor of internet speed is ignored. Benchmark is tested with k6 with k6 run bench.js
Here is the result
Type | Avg RPS | Avg latency | Request count |
Cloud Armor GKE | 735.45 | 67.78ms | 44139 |
Cloud Armor custom origin | 718.10 | 69.41ms | 43098 |
Traefik | 2275.47 | 21.70ms | 137234 |
service type Load Balancer | 1088.92 | 45.51ms | 65673 |
We can see that there will be some performance penalty with Cloud Armor enabled, but the protection may worth if you think the performance drop is acceptable. It depends what you trying to achieve.
Source code is available at cncf-demo/traefik-cloud-armor