Overview

Google Cloud Armor is the primary security layer protecting all ecommerce sites hosted on our platform. Built on Google’s global edge network, it helps stop DDoS attacks, malicious bots, and common web-based threats before they reach your servers. This reduces load, improves site reliability, and keeps legitimate traffic flowing even during attack conditions.

Global, Edge-Level Protection

Cloud Armor filters traffic at Google’s worldwide edge locations. This ensures:

• Low latency for real customers

• High-capacity absorption of malicious traffic

• The same underlying DDoS defenses used by Google’s own services

Always-On DDoS Mitigation

Your site automatically benefits from Google’s global DDoS protection, which blocks volumetric and protocol-level attacks. Cloud Armor adds Layer 7 (application-level) rules to detect and stop suspicious or abusive request patterns.

Cost-Effective, Fully Managed

Cloud Armor requires no hardware, updates, or maintenance from you. Threat intelligence and rule updates are handled by Google and integrated directly into our hosting infrastructure.

Advanced Bot & Fraud Protection

Bot Management

Cloud Armor evaluates behavior patterns to distinguish legitimate users, harmless bots (e.g., search crawlers), and malicious automation. This helps protect against:

• Credential stuffing

• Excessive scraping

• Inventory hoarding and checkout bots

We can pair Cloud Armor with reCAPTCHA Enterprise for enhanced bot scoring and challenge workflows when needed.

Carding Attack Mitigation

For ecommerce stores, Cloud Armor helps reduce fraudulent payment attempts through:

• Rate limiting (restricting checkout attempts per IP/session)

• Geo-blocking for regions you don’t serve

• Adaptive protection that reacts to abnormal traffic spikes

• Preconfigured WAF rules tuned for common fraud patterns

Stopping attacks at the edge also helps avoid unnecessary payment gateway fees.

Web Application Firewall (WAF)

Cloud Armor includes a WAF with rule sets based on the OWASP Top 10, protecting your site from:

• SQL injection

• Cross-site scripting (XSS)

• Local/remote file inclusion

• Malformed or malicious requests

We can also create custom rules such as:

• IP allowlists/denylists

• Header filtering

• URL path restrictions

• Per-endpoint rate limiting

These policies can apply globally or to specific site areas (e.g., admin pages, APIs).

Threat Visibility & Monitoring

Our team monitors Cloud Armor dashboards that show:

• Blocked attack attempts

• Traffic anomalies

• Geographic trends

• Request types and WAF hits

All decisions are logged for analysis, troubleshooting, and compliance reporting.

Cloud Armor vs. Cloudflare

Both Cloud Armor and Cloudflare offer DDoS protection, WAF rules, bot filtering, and access controls.

However:

• Cloud Armor is deeply integrated into our Google Cloud hosting stack

• No proxy configuration is required

• Performance is optimized because protection is applied directly at Google’s edge

For most hosted sites, Cloud Armor provides all needed protection without Cloudflare.

When Cloudflare May Still Be Needed

You should keep the Cloudflare proxy enabled if you use:

• Cloudflare Workers or Pages

• Cloudflare-specific integrations

• Features Cloud Armor does not replicate

If there are specific requirements that Cloudflare meets for you that you need Cloud Armor to replicate, please reach out to our team to discuss further.

Getting Started

Cloud Armor protection is already active for every hosted ecommerce site. No setup is required, aside from ensuring your domain's DNS records are configured properly. Please reach out to the support team for review and confirmation..

For questions or security requests, contact our support team or your account manager.