Google Cloud Technical Brief As data and applications move to GCP so does the increased threat of web attacks like SQL injections, cross site scripting (XSS), hacking attempts, bad bots and application layer DDoS floods. While GCP includes a number of basic security features such as data encryption, authentication and vulnerability scanning, it still recommends using a specialized solution for protection against Web attacks, bots, and application layer DDoS. Incapsula protects Google-hosted applications from all web and DDoS attacks, filtering out malicious traffic before it reaches Google Cloud Platform. Incapsula can be deployed in a few minutes, and once configured, automatic daily updates of bot signatures and reputation lists offload the burden of learning and configuring security rules from your staff. Protection for all environments Incapsula covers any deployment model for GCP, including hybrid cloud environments. Clients that are migrating to GCP make a simple DNS change to enable their GCP deployments to benefit from the same level of protection as their existing on-premises deployments. Incapsula gives clients the ability to apply a consistent security model across their entire infrastructure on premises, private and public cloud. On-Premises Server Use Case #2 Use Case #3 Use Case #1 Legitimate Traffic Incapsula Network GCP Load Balancer Website or Application VMs Google Cloud Platform 1
Here are 3 common examples of how Incapsula secures and protects GCP users: Use Case 1: With Google Load Balancer Incapsula complements Google security services by providing an additional layer of protection in front of the traffic before it reaches GCP. After Incapsula is deployed, attacks are mitigated before they can reach the GCP servers. To start, Google provides an IP address that can be found on the Load Balancing control panel. Google provides GCP load balancer IP address 2
To begin the configuration process with Incapsula, it is necessary to create a DNS entry mapping the hostname to the GCP load balancer IP address (provided by Google) on the Cloud DNS control panel. User creates DNS entry mapping hostname to GCP Load Balancer IP Once the mapping exists in the DNS zone file, Incapsula will pull the load balancer IP address by performing an NS lookup on the load balancer DNS entry. Incapsula pulls the GCP load balancer IP 3
Once a site is successfully provisioned on Incapsula, it is assigned a unique CNAME record that is used both for pointing traffic to the Incapsula network and also to identify the Incapsula site when multiple applications point to the same site. All Incapsula sites are assigned a unique CNAME 4
Use Case 2: Hybrid deployments Incapsula is in front of all client applications, including GCP, in existing on-premises data centers, or in other cloud environments. As a result, the client gets a single application to monitor and enforce policies across all deployments. This ensures security policies are identical between GCP and the client s on-premises deployments, making migration of security architecture to GCP as simple as making a DNS change. Incapsula can load balance across hybrid GCP deployments In addition, GCP websites using Incapsula Website Protection for hybrid deployments are protected from any type of DDoS attack, including both network (layer 3 and 4) and application (layer 7) attacks. 5
Use Case 3: Without Google Load Balancer Clients can also use Incapsula DDoS Protection and Web Security services with Incapsula layer 7 load balancing by pointing their DNS settings to the Incapsula CNAME. Clients can use Incapsula Load Balancer by pointing their DNS settings to Incapsula CNAME 6
Incapsula Load Balancer distributes user requests among origin data centers and/or GCP alias names to achieve optimal performance and response time. In addition, it helps ensure high availability in the case of a malfunctioning server or data center by routing traffic to a healthy server. Incapsula Load Balancer distributes traffic across multiple GCP instances 7
In all use cases, Incapsula provides security and acceleration at the web application level by mitigating all types of attacks in real time, before they reach GCP. Incapsula dashboard shows traffic security events in real-time 8